Secret scanning is now performing a backfill to detect historically existing secrets in GitHub wikis. For repositories with secret scanning enabled, you may notice newly created alerts for these exposed secrets.
Learn how to secure your repositories with secret scanning or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.
You are also welcome to join the discussion and share your feedback on our dedicated Github community.
The secret scanning metrics page within an organization’s “Security” tab now includes metrics for push protection bypass requests.
If an organization uses delegated bypass controls for push protection, the following data is shown:
The previous data tiles showing the number of blocked secrets and bypassed secrets has been condensed into one tile.
If an organization has not configured delegated bypass controls, the tiles will display no data.
This data is also available at the Enterprise level within the “Code security” tab on GHEC. It will be included in GHES 3.15.
Join the discussion in our Github Community.
Enhance your security workflows by exporting security alert data for offline analysis, reporting, and archival purposes with our new CSV export functionality, available at the organization level. CSV exports will respect all filters you’ve applied to the page, allowing you to generate multiple exports focusing on different datasets. You can download all data where you have an appropriate level of access.
Learn more about the security overview dashboard and send us your feedback.
Secret scanning alerts for non-provider patterns and generic passwords can now be retrieved using the REST API.
With the “List secret scanning alerts” endpoint for an enterprise, organization, or repository, you can use the query parameter secret_type to request alerts for non-provider patterns or passwords. To retrieve alerts for non-provider patterns, use the “Token” value in this table. To retrieve alerts for passwords, use the value password.
The secret_type parameter can be used to return several secret types, separated by commas: e.g. api.github.com/orgs/ORG/secret-scanning/alerts?secret_type=rsa_private_key,password.
Alerts for non-provider patterns and passwords are not returned by default with the “List secret scanning alerts” endpoint; they must be specifically requested.
GitHub Advanced Security customers using secret scanning can now use the REST API to enable or disable support for non-provider patterns at the repository level.
Non-provider patterns scans for token types from generic providers, like private keys, auth headers, and connection strings.
Code security configurations were made generally available on July 10th, 2024. This experience replaces our old settings experience and its API.
If you are currently using the REST API endpoint to enable or disable a security feature for an organization, this endpoint is now considered deprecated.
It will continue to work for an additional year in the current version of the REST API before being removed in July of 2025. However, users should note this will conflict with the settings assigned in code security configurations if the configuration is unenforced. This may result in a code security configuration being unintentionally removed from a repository.
The endpoint will be removed entirely in the next version of the REST API.
To change the security settings for repositories, you can use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.
Today, we’re excited to announce the general availability of our new organization and enterprise-level security overview dashboards, alongside enhanced secret scanning metrics and the enablement trends reports. These features are designed to provide comprehensive insights, improved prioritization, and advanced filtering options to streamline your security improvements.
Our new security overview dashboard, available at both the organization and enterprise levels, integrates security into the core of the development lifecycle. This empowers you to proactively identify and address vulnerabilities. Key features include:
Monitor the enablement trends of all security tools with detailed insights into the activation status of Dependabot alerts, Dependabot security updates, code scanning, secret scanning alerts, and secret scanning push protection, giving you at-a-glance oversight of your security coverage.
Gain insights into how push protection is functioning throughout your enterprise. Monitor the number of pushes containing secrets that have been successfully blocked, as well as instances where push protection was bypassed. Detailed insights by secret type, repository, and reasons for bypassing are also available.
To access these features, navigate to your profile photo in the top-right corner of GitHub.com and select the organization or enterprise you wish to view. For organizations, click on the Security tab. For enterprises, click Code Security in the enterprise account sidebar.
These features are generally available on GitHub.com today and will be generally available in GitHub Enterprise Server 3.14.
Learn more about the security overview dashboard, the secret scanning metrics report and the enablement trends report
GitHub Enterprise Cloud customers can now see code security configurations data in audit log events.
Code security configurations simplify the rollout of GitHub security products at scale by defining collections of security settings and helping you apply those settings to groups of repositories. Configurations help you change the settings for important features like code scanning, secret scanning, and Dependabot.
With the addition of configurations data in the audit log, organization and enterprise owners have easy visibility into why the settings on certain repositories may have changed.
Audit log events now include:
– Name of the configuration applied to a repository
– When the configuration application fails
– When a configuration is removed from a repository
– When configurations are created, updated, or deleted
– When configurations become enforced
– When the default configuration for new repositories changes
Code security configurations are now available in public beta on GitHub.com and will be available in GitHub Enterprise Server 3.15. You can learn more about code security configurations or send us your feedback.
The REST API now supports the following code security configuration actions for organizations:
– Detach configurations from repositories
– Enforce configurations
– Enable validity checks for secret scanning in a configuration
The API is now available on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.15.0. You can learn more about security configurations, the REST API, or send us your feedback.
Secret scanning now detects generic passwords using AI. Passwords are difficult to find with custom patterns — the AI-powered detection offers greater precision for unstructured credentials that can cause security breaches if exposed.
Passwords found in git content will create a secret scanning alert in a separate tab from regular alerts. Passwords will not be detected in non-git content, like GitHub Issues or pull requests, and are not included in push protection. Password detection is backed by the Copilot API and is available for all repositories with a GitHub Advanced Security license. You do not need a Copilot license to enable generic secret detection.
To start detecting passwords, select “Use AI detection to find additional secrets” within your code security and analysis settings at the repository level, or the code security global settings at the organization level.
Secret scanning now helps you more easily define custom patterns with GitHub Copilot.
Generally available as of today, you can now leverage AI to generate custom patterns without expert knowledge of regular expressions.
Defining custom patterns is now simpler and more efficient. You can leverage AI to generate patterns via text input — without expert knowledge in regular expressions.
With secret scanning, you can create your own custom detectors by using custom patterns. Formatted as regular expressions, these custom patterns can be challenging to write. Secret scanning now supports a pattern generator backed by GitHub Copilot in order to generate regular expressions that match your input.
When defining a custom pattern, you can select “generate with AI” in order to launch the regular expression generator.
The model returns up to three regular expressions for you to review. You can click on the regular expression to get an AI-generated plain language description of the regular expression. You should still review this input and carefully validate performance of results by performing a dry run across your organization or repository.
All GitHub Advanced Security customers on GitHub Enterprise Cloud can use the regular expression generator today. Anyone able to define custom patterns is able to use the regular expression generator (e.g. any admin at the repository, organization, or enterprise levels). You do not need a GitHub Copilot license to use the regular expression generator.
Learn more about the regular expression generator or how to define your own custom patterns.
Code security configurations are now generally available (GA)!
Code security configurations simplify the rollout of GitHub security products at scale. They help you define collections of security settings and apply them across groups of repositories.
Since the beta release on April 2, 2024, we’ve launched several improvements, including configuration enforcement and an API.
We have sunset the old organization-level code security settings UI experience along with the API parameters that complemented it.
All new changes to security settings must happen through the new code security configurations expereince. Organizations that were previously opted out of the experience have been opted back in. All default settings for new repositories have been migrated to a configuration called “Legacy” and automatically applied to new repos.
Learn more about code security configurations, the configurations REST API, or send us your feedback.
Code security configurations will be made generally available (GA) on July 10th, 2024. At that point, we will sunset the organization-level code security settings UI experience along with the API parameters that complemented it.
If you are currently using the Update an organization REST API endpoint to set default security settings for new repositories, or the Get an organization REST API endpoint to retrieve current defaults for security settings on new repositories, those parameters will now be ignored. The parameters will be removed entirely in the next version of the REST API.
Your previous default settings in your organization have been saved to a code security configuration called “Legacy” and will continue to apply. To change the default security settings for new repositories, use the code security configurations UI, the configurations API, or the unaffected enterprise-level security settings.
Learn more about code security configurations, the configurations REST API, or send us your feedback.
Delegated bypass for push protection has expanded to cover pushes from the web file editor. When your organization or repository configures a delegated bypass list for push protection, any commits from the file editor that include secrets will be blocked, and the committer will need to submit a bypass request for review.
Starting today, validity checks will be included in the “GitHub recommended” setup through code security configurations and will be enabled for any newly attached repositories.
Please note that on July 24, validity checks will also be enabled retroactively for any repositories that had attached the GitHub recommended configuration before July 2, 2024. If you wish to directly manage feature enablement moving forward, we recommend unattaching the recommended configuration and attaching your own custom configuration to those repositories.
Learn how to secure your repositories with secret scanning, participate in the community discussion with feedback, or sign up for a 60 minute feedback session on secret scanning and be compensated for your time.
