secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub now protects you by scanning public repos for leaked GitHub login credentials. If you accidentally expose your username and password in code or commit metadata, we will automatically reset your password and email you.

We'd like to thank Will Deane, Director and Principal Consultant at ASX Consulting, and Aaron Devaney, Principal Security Consultant at MDSec, for surfacing the threat of exposed passwords and helping us secure all our users via GitHub's Security Bug Bounty program. You can read more from the researchers here.

github leaked password email

For more information:

See more

GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization (and repository) level. Dry runs allow admins to understand a pattern's impact across an organization and hone the pattern before publishing and generating alerts.

Admins can compose a pattern then 'Save and dry run' to retrieve results from their selected repositories. Scan results will appear on screen as they're detected, but admins can leave the page and later come back to their saved pattern's dry run results. Enterprise-level dry runs will follow shortly.

For more information:

See more

The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository, organization, or enterprise level custom patterns for security and compliance audits.

New events will be added to the audit log when a custom pattern is created, updated, or deleted.

See more

GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret.

See more

Organizations with GitHub Advanced Security can now prevent secret leaks with secret scanning’s new push protection feature.

For repositories with push protection enabled, GitHub will block any pushes where a high-confidence token is detected. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI.

Push protection scans for tokens that can be detected with a very low false positive rate. If you run a service that issues tokens we’d love to work with you to make them highly identifiable and include them in push protection. We changed the format of GitHub’s own personal access tokens last year with this in mind.

For more information:

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.

We have partnered with Supabase to scan for their API keys, which allow users to update and access database changes. We'll forward the API keys that we find in public repositories to Supabase, who will automatically revoke the detected secrets and notify the affected users.

We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets we help protect users from data leaks and fraud associated with exposed data.

We have partnered with Octopus Deploy to scan for access tokens for their cloud-hosted product, Octopus Cloud. Octopus API keys allow users to perform tasks like creating and deploying releases. We'll forward access tokens found in public repositories to Octopus Deploy, who will notify the affected user via email. More information about Octopus Deploy API tokens can be found here.

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now scan their public repositories using Advanced Security secret scanning. Like scanning on private repositories, scanning on public repositories can be enabled at the repository, organization, and enterprise levels. Results can be viewed at each level in both the UI and API.

In addition, GitHub continues to scan all public repositories for secrets issued by our secret scanning partners and to send any detections to the relevant partners. Secret detections that overlap between partner patterns and Advanced Security patterns will be sent to the partner and appear in the secret scanning UI.

Learn more about secret scanning for GitHub Advanced Security

See more

GitHub Advanced Security customers can now dry run custom secret scanning patterns at the repository level. Dry runs allow admins to review and hone their patterns before publishing them and generating alerts.

Admins can compose a pattern then 'Save and dry run' to retrieve results from their repository. The scans are fast – typically just a few seconds – but GitHub will also notify admins via email when dry run results are ready. Organization and enterprise-level dry runs will follow shortly.

dry_run_demo

For more information:

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans may prevent data leaks and any fraud associated with exposed data.

We have partnered with Typeform to scan for their access tokens and help secure our mutual users. Typeform API tokens allow Typeform users to create forms, retrieve responses, and configure webhooks. More information about Typeform API tokens can be found here.

We’ll forward access tokens found in public repositories to Typeform, who will verify and automatically disable the token. Typeform will then notify the user with the detection details (token name, where it was detected, and the token scopes).

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now use the GitHub REST API to retrieve commit details of secrets detected in private repository scans. Now available on cloud, the new endpoint will surface details of a secret's first detection within a file, including the secret's location and commit SHA.

Learn more about the secret scanning REST API
Learn more about private repository scanning with Advanced Security

See more

GitHub secret scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and prevent the fraudulent use of accidentally committed secrets.

We have partnered with Meta to scan for their access tokens and help keep our mutual users secure. Our scan currently covers Facebook user access tokens and page access tokens. These tokens provide permissions to APIs that read, write, or modify the data belonging to a Facebook user or page.

We'll forward access tokens found in public repositories to Meta. Meta will then automatically invalidate tokens that have a valid session and notify app developers.

We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub secret scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and prevent the fraudulent use of accidentally committed secrets.

When enabled on private repositories, GitHub secret scanning raises alerts directly to users. The quality of this experience depends on the quality of the patterns we scan for, which we are constantly refining. In line with that, we are removing our pattern for Azure SQL connection strings from our default pattern set on private repositories.

Advanced Security customers can replicate our previous pattern for Azure SQL connection strings using custom patterns with the following regex:
(?i)[a-z][a-z0-9-]+\.database(?:\.secure)?\.(?:(?:windows|usgovcloudapi)\.net|chinacloudapi\.cn|cloudapi\.de)

We intend to introduce a more general pattern for database connection strings, with a lower false positive rate, in the near future.

Check out our docs for more information on the 100+ patterns that we scan for.

See more

GitHub Secret Scanning helps protect users by searching repositories for known types of secrets. By flagging leaked secrets, our scans can prevent data leaks and fraudulent uses of secrets that were committed accidentally.

Checkout.com is a cloud-based global payments platform that empowers brands like Adidas, Samsung, and Wise with digital payments built for speed and scale. Checkout.com alerts customers and their account managers of any suspected credential compromise based on notifications from GitHub.

FullStory's Digital Experience Intelligence platform helps companies answer questions about their digital experience by transforming digital interactions across websites and mobile apps into actionable metrics. If a token is exposed, FullStory will notify the developer at risk. For more information on protecting and rotating your FullStory tokens, please refer to their documentation.

We partnered with Checkout.com and FullStory to scan for their API tokens to help keep all of our mutual developers and customers secure. We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now edit their custom patterns defined at the repository, organization, and enterprise levels. After a user edits and saves a pattern, secret scanning searches for matches both in a repository's entire git history and in any new commits. Editing a pattern will close alerts previously associated with the pattern if they no longer match the updated version.

The new editing feature comes along with other UI and UX updates, with additional improvements like dry-runs in the works.

Now that users can edit their patterns, we're also taking custom patterns out of beta on cloud. Over 50 enterprises have adopted the feature and written over 100 unique patterns since the initial release in June.

User-defined patterns will be generally available on server next quarter in GitHub Enterprise Server 3.3.

Learn more about custom patterns
Learn more about secret scanning

See more

GitHub Secret Scanning scans repositories for known types of secrets, to prevent fraudulent use of secrets that were committed accidentally. This protects users from fraud and data leaks.

Contributed Systems provides open source and commercial background job systems (Sidekiq and Faktory) for business applications written in a variety of programming languages, including Ruby, Go, Python, and JavaScript. If your Contributed Systems credentials are committed to a public repository, we'll send those matches to them and they'll reach out to you directly.

We continue to welcome new partners for public repo secret scanning. In addition, GitHub Advanced Security customers can also scan their private repositories for leaked secrets.

See more

GitHub Advanced Security customers can now view all their private repo secret scanning alerts in the organization security tab. This view is currently only available to organization owners, but will soon also be available to users with the security manager role.

For API use cases, please see the recent secret scanning org-level REST API release.

Org-level secret scanning results

Learn more about security overview
Learn more about GitHub Advanced Security

See more