Skip to content

/ Blog

Use Copilot for free Contact sales

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Categories

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Contact sales Use Copilot for free

secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

→ ~ cd github-changelog

→ ~/github-changelog|main git log main

showing all changes successfully

Secret scanning displays branch and file paths for push protection bypasses

August 26, 2024

Push protection bypass requests will now show file path and branch information for the secret. This improvement helps you more effectively triage any secrets for which you’ve requested push protection bypasses. Branch information is only available for pushes to single branches.

Delegated bypasses for secret scanning push protection allow organizations and repositories to control who can push commits that contain secrets. Developers can request approval from authorized users to push a blocked secret.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in the dedicated GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Secret scanning non-provider patterns inclusion in recommended security configuration

August 23, 2024

Now, secret scanning non-provider patterns are included in the GitHub-recommended security configuration. Non-provider patterns have also been automatically enabled for any repositories with the recommended configuration previously attached.

Secret scanning non-provider patterns are generic detectors which help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Secret scanning now deduplicates non-provider patterns

August 22, 2024

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now dededuplicates non-provider patterns (generic patterns) against provider patterns.

Secret scanning non-provider patterns are generic detectors that help you uncover secrets outside of patterns tied to specific token issuers, like HTTP authentication headers, connection strings, and private keys.

Note: Custom patterns are not deduplicated, as removing a custom pattern will also delete those alerts. We recommend adjusting your custom patterns to avoid overlap with any GitHub-defined detectors.

Learn more

Learn more about how to secure your repositories with secret scanning. Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Secret scanning non-provider patterns are included in security configurations

August 20, 2024

You can now enable non-provider patterns (generic patterns) through security configurations at the organization level.

Non-provider patterns will also be included in the GitHub-recommended security configuration on August 23, 2024. At that time, non-provider patterns will be automatically enabled for any repositories with the recommended configuration attached.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Anthropic is now a GitHub secret scanning partner

August 20, 2024

For Anthropic users, GitHub secret scanning now scans for Anthropic tokens to help secure your public repositories. Anthropic tokens enable users to access Claude through the Anthropic API. GitHub will forward any exposed tokens found in public repositories to Anthropic, who will then revoke the compromised tokens and notify the affected users. Read more information about Anthropic tokens.

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

GitHub Advanced Security customers can also scan for and block Anthropic tokens in their private repositories.

Learn more about secret scanning
Partner with GitHub on secret scanning
Join the discussion on our dedicated Github community.

See more See more

Secret scanning for non-code GitHub surfaces is now generally available

August 16, 2024

GitHub secret scanning now detects and alerts you on secrets found in GitHub issues, wikis, discussions, and pull requests.

Secrets, like API keys, passwords, and tokens, can hide in many places. Throughout 2024, we’ve discovered over 100k unique secrets hiding in mediums outside of code. If these leaks aren’t managed correctly, each one of them could pose a substantial risk.

To help protect you from leaked secrets – anywhere within your GitHub perimeter – GitHub provides visibility across all major surfaces. We scan these surfaces for over 200+ token formats and work with relevant partners to help protect you from publicly leaked secrets. GitHub also supports generic patterns like RSA private keys and Copilot-detected passwords.

Learn more about how to secure your repositories with secret scanning.

Let us know what you think by participating in a GitHub community discussion or signing up for a 60 minute feedback session.

See more See more

Bypass list for secret scanning push protection can include the maintainer role

August 14, 2024

Starting in April 2024, GitHub Advanced Security customers using secret scanning have been able to specify which teams or roles have the ability to bypass push protection using a delegated bypass list.

Administrators can now add the maintainer role to this list.

Learn more about secret scanning
Learn more about delegated bypass for push protection
Join the discussion and share your feedback on our dedicated Github community.

See more See more

Secret scanning push protection is supported for content upload REST API endpoints

August 13, 2024

Push protection blocks you from pushing secrets to a repository and generates an alert whenever you bypass the block.

Push protection is now supported for the following REST API endpoints:
* Create a blob
* Create or update file contents

If the content of a PUT request to these endpoints includes a secret, the API will respond with a 409 error and provide a link for bypassing push protection, along with a placeholder_id.

There is also a new API endpoint to bypass push protection programatically, Create a push protection bypass. You or your application can use the placeholder_id from your push protection block in your call to this endpoint.

You need to be the individual or application that initially got blocked to be able to bypass the block successfully.

See more See more

Secret scanning backfilling existing secrets in GitHub wikis

August 13, 2024

Secret scanning is now performing a backfill to detect historically existing secrets in GitHub wikis. For repositories with secret scanning enabled, you may notice newly created alerts for these exposed secrets.

Learn how to secure your repositories with secret scanning or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.

You are also welcome to join the discussion and share your feedback on our dedicated Github community.

See more See more

Metrics for push protection bypass requests are included in the secret scanning metrics page

August 8, 2024

The secret scanning metrics page within an organization’s “Security” tab now includes metrics for push protection bypass requests.

If an organization uses delegated bypass controls for push protection, the following data is shown:

number of bypass requests, broken down by state
mean time to review the requests

The previous data tiles showing the number of blocked secrets and bypassed secrets has been condensed into one tile.

screenshot of new delegated bypass metrics

If an organization has not configured delegated bypass controls, the tiles will display no data.

This data is also available at the Enterprise level within the “Code security” tab on GHEC. It will be included in GHES 3.15.

Read more about secret scanning
Read more about delegated bypass for push protection
Join the discussion in our Github Community.

See more See more

CSV exports for security alerts on the organization-level security overview dashboard

August 6, 2024

New Export CSV button highlighted on the overview dashboard on the Security tab at the organization level

Enhance your security workflows by exporting security alert data for offline analysis, reporting, and archival purposes with our new CSV export functionality, available at the organization level. CSV exports will respect all filters you’ve applied to the page, allowing you to generate multiple exports focusing on different datasets. You can download all data where you have an appropriate level of access.

Learn more about the security overview dashboard and send us your feedback.

See more See more

Secret scanning alerts for non-provider patterns and passwords are retrievable with the REST API

August 6, 2024

Secret scanning alerts for non-provider patterns and generic passwords can now be retrieved using the REST API.

With the “List secret scanning alerts” endpoint for an enterprise, organization, or repository, you can use the query parameter secret_type to request alerts for non-provider patterns or passwords. To retrieve alerts for non-provider patterns, use the “Token” value in this table. To retrieve alerts for passwords, use the value password.

The secret_type parameter can be used to return several secret types, separated by commas: e.g. api.github.com/orgs/ORG/secret-scanning/alerts?secret_type=rsa_private_key,password.

Alerts for non-provider patterns and passwords are not returned by default with the “List secret scanning alerts” endpoint; they must be specifically requested.

Learn more about secret scanning or join the discussion in our dedicated Github community post.

See more See more

Enable secret scanning for non-provider patterns on repositories with the REST API

July 23, 2024

GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the repository level.

Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.

See more See more

Deprecation of API endpoint to enable or disable a security feature for an organization

July 22, 2024

Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.

If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.

It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.

The endpoint will be removed entirely in the next version of the REST API.

To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.

Send us your feedback!.

See more See more

Security overview dashboards, secret scanning metrics and enablement trends reports are now generally available

July 19, 2024

Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.

Code security insights

Organization-level overview dashboard on the security tab

Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:

Track security improvements: Monitor trends over time by age, severity, and security tool, simplifying prioritization with top 10 lists focused on repositories and advisories.
Autofix impact: Understand how autofix, powered by GitHub Copilot, is influencing your enterprise’s security remediation efforts.
Advanced filtering: Customize data focus with filters by attributes such as team, repository metadata (i.e., custom repository properties), and security tool-specific filters:
- Dependabot: Filter by ecosystem, package, and dependency scope.
- CodeQL/Third-Party: Filter by specific rules.
- Secret Scanning: Filter by secret type, provider, push protection status, and validity.

Enablement trends for security tools

Organization-level enablement trends report

Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.

Push protection insights for secret scanning

Organization-level secret scanning metrics page

Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.

To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.

These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.

Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report

See more See more

View more changes