Skip to content

secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Secret scanning supports validation checks for select AWS, Google, Microsoft, and Slack tokens

GitHub Advanced Security customers that have validity checks enabled will see the validation status for select AWS, Google, Microsoft, and Slack tokens on the alert.

The following tokens are supported:

  • aws_access_key_id
  • aws_secret_access_key
  • aws_session_token
  • aws_temporary_access_key_id
  • aws_secret_access_key
  • google_oauth_access_token
  • google_api_key
  • nuget_api_key
  • slack_api_token

AWS tokens will have validation checks performed periodically in the background, with on-demand validity checks to come in the future.

View our supported secrets documentation to keep up to date as we expand validation support.

See more

Secret scanning token validation events now in the audit log

The enterprise and organization level audit logs now record an event when the setting for automatic validity checks for secrets is enabled or disabled. This data helps GitHub Advanced Security customers understand actions taken on their secret scanning alerts for security and compliance audits.

See more

Secret scanning detects secrets in issues for free public repositories

Users with secret scanning enabled on their free public repositories will now receive alerts for any potential secrets exposed in an issue’s title, description, or comments, including historical revisions. Alerts can be viewed within the UI or the REST API.

New issues are being scanned starting today and existing issues will be scanned over the coming weeks. You can expect all public repositories to be fully scanned by September 1, 2023.

See more

Secret scanning supports on-demand token validity checks

GitHub Advanced Security customers can now perform on-demand validity checks for supported partner patterns, and the alert index view now shows if a secret is active. This builds on our release of enabling automatic validation checks for supported partner patterns back in April.

When the “Automatically verify if a secret is valid” setting is enabled on a repository, users will see a “Verify secret” button on the alert page. This sends the secret to our relevant partner provider to see if the secret is active and updates the status on the alert and index pages.

screenshot of an adafruit io key alert with a verify secret button

As we work with our partners to add support for more secrets, we'll update the "Validity check" column in the documented supported secrets list.

See more

Users can enable push protection for themselves

Secret scanning's push protection feature prevents supported secrets from being pushed into repositories, and has to date been enabled at the repository, organization, or enterprise level.

Now, everyone across GitHub can enable push protection for themselves within your individual settings. This ensures your pushes are protected whenever you push to a public repository on GitHub, without relying on that repository to have push protection enabled.

To opt in, go to the "Code security and analysis" section of your personal settings. Next to "Push protection for yourself", click Enable.

GitHub will enable push protection for all GitHub Free individuals by default in January, 2024.

See more

Secret scanning shows metrics for push protection at the organization level

Organization owners and security managers can now view metrics associated with push protection usage across their organization.

The overview shows a summary of how many pushes containing secrets have been successfully blocked across the organization by push protection, as well as how many times push protection was bypassed.

You can also find more granular metrics, including:

  • the secret types that have been blocked or bypassed the most
  • the repositories that have had the most pushes blocked
  • the repositories that are bypassing push protection the most
  • the percentage distribution of reasons that users give when they bypass the protection

These metrics are found under the Security tab of your organization and are based on activity from the last 30 days.

screenshot of push protection metrics, showing overall secrets blocked and details on most blocked types, repositories with most pushes blocked, and bypassed secret metrics

See more

Defined is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Defined to scan for their tokens and help secure our mutual users on public repositories. Defined tokens allow users to access various administrative functions of their managed mesh networking offerings. GitHub will forward access tokens found in public repositories to Defined, which will then email the user. You can read more information about Defined's tokens here.

All users can scan for and block Defined's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Defined tokens in their private repositories.

See more

Workato is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Workato to scan for their API tokens and help secure our mutual users on public repositories. Workato Developer API tokens allow users to effectively manage their Workato workspaces programmatically and reduce administrative overhead as they onboard teams from across their organisation. GitHub will forward access tokens found in public repositories to Workato, which will then notify the user about the leaked token. You can read more information about Workato's tokens here.

All users can scan for and block Workato's tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Workato tokens in their private repositories.

See more

GitHub Advanced Security trial now available on GitHub Enterprise Cloud

All eligible GitHub Enterprise accounts can now try GitHub Advanced Security for free for 14 days. GitHub Advanced Security provides integrated security with unparalleled access to curated security intelligence. This unlocks your ability to keep your code, supply chain, and secrets secure before pushing the code to production. During the trial, you can try features such as:

  • Code scanning to help find and remediate security issues in your code
  • Secret scanning to prevent and detect secret exposures across your organization
  • Dependency review to catch vulnerable dependencies before introducing them to your environment

Explore our documentation to learn more about GitHub Advanced Security features and how to deploy them in your organization.
GitHub Advanced Security on Enterprise Cloud

See more

Canadian Digital Service is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of tokens. By identifying and flagging these tokens, our scans help prevent data leaks and fraud.

We have partnered with Canadian Digital Service (CDS) to scan for their tokens and help secure our mutual users on public repositories. Canadian Digital Service tokens allow users to send email and text messages using the Government of Canada’s Notify service. GitHub will forward access tokens found in public repositories to CDS, which will then revoke the token and contact the impacted users to help them generate new tokens. You can read more information about CDS's tokens here.

All users can scan for and block CDS tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block CDS tokens in their private repositories.

See more

LogicMonitor is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with LogicMonitor to scan for their tokens and help secure our mutual users on public repositories. LogicMonitor tokens allow users to authenticate requests to LogicMonitor's REST API. GitHub will forward access tokens found in public repositories to LogicMonitor, which will then inform their portal contacts for remediation. You can read more information about LogicMonitor's tokens here.

All users can scan for and block LogicMonitor tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block LogicMonitor tokens in their private repositories.

See more

Highnote is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Highnote to scan for their tokens and help secure our mutual users on public repositories. Highnote tokens allow users to authenticate with Highnote’s GraphQL API. GitHub will forward access tokens found in public repositories to Highnote, which will then revoke the token and work with impacted users to generate a new token. You can read more information about Highnote’s tokens here.

GitHub Advanced Security customers can also scan for Highnote tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.

See more

Aiven is a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Aiven to scan for their tokens and help secure our mutual users on public repositories. Aiven tokens allow users to interact with Aiven hosted services and the Aiven API. GitHub will forward access tokens found in public repositories to Aiven, and the Aiven Customer Success Team will contact project owners via the normal service channel and work with them to rotate and revoke the affected credentials. Aiven will not revoke credentials without prior communication and acknowledgement from the project owner. You can read more information about Aiven’s tokens here.

GitHub Advanced Security customers can also scan for Aiven tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.

See more

Secret scanning’s push protection is available on public repositories, for free

Secret scanning's push protection feature is now generally available for all free public repositories on GitHub.com.

You can enable push protection for any public repository on GitHub.com from your repository's "Code security and analysis" settings in the UI or REST API. If you're an organization or enterprise owner, you can also also bulk-enable secret scanning.

For your repositories that are not a part of an organization, you can bulk-enable secret scanning and push protection in your personal "Code security and analysis" settings.

See more

Secret scanning’s push protection now generally available for GitHub Advanced Security

Secret scanning's push protection feature is now generally available for GitHub Advanced Security customers.

Customers can enable push protection for any private repository that has GitHub Advanced Security. Push protection can also be enabled for any public repository, for free. To bulk enable push protection, customers can visit their organization and enterprise's "Code security and analysis" settings in the UI or REST APIs.

Push protection is also available for any custom pattern defined at the repository, organization, and enterprise level. See step 11 under "Defining a custom pattern for a repository" for more details in our documentation.

See more

Secret scanning summary email for historical scans

If you are an organization or enterprise owner, you will now receive a secret scanning summary email when the historical scan completes. The email notification will tell you how many, if any, secrets were detected across all repositories within your organization or enterprise. You'll also receive a link to your security overview page for each secret, where you can view details for each detected secret.

Previously, secret scanning would send one email per repository where secrets were detected, provided that you were watching the repository and had email notifications enabled in your user settings enabled. While repository administrators will still receive an email notification per repository, organization and enterprise owners will now receive only a single notification upon the historical scan's completion.

To receive notifications:

  • For the first historical scan after you enable secret scanning, you must have email notifications enabled in your user settings. You do not need to watch any repositories to receive the secret scanning summary email.
  • For future historical scans, such as for newly added patterns, you will receive an email notification for each repository where a secret was found. You must be watching the repository where the secret was detected and have email notifications enabled in your user settings.

summary email after backfill scan

See more

Doppler is a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Doppler to scan for their tokens and help secure our mutual users on public repositories. Doppler tokens allow users to access and manage their secrets from their existing tooling and infrastructure. GitHub will forward access tokens found in public repositories to Doppler, who will revoke the tokens and email affected customers. You can read more information about Doppler tokens here.

GitHub Advanced Security customers can also scan for Doppler tokens and block them from entering their private and public repositories with push protection.

See more

Rootly is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Rootly to scan for their tokens and help secure our mutual users on public repositories. Rootly tokens allow users to authenticate against the Rootly API and create incidents programmatically. GitHub will forward access tokens found in public repositories to Rootly, who will notify workspace owners and let them revoke token within a few seconds. You can read more information about Rootly tokens here.

GitHub Advanced Security customers can also scan for Rootly tokens and block them from entering their private and public repositories with push protection.

See more

Secret scanning now supports validation checks for supported partner patterns

GitHub Advanced Security customers can now enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings.

When you enable the checkbox in your settings, GitHub will automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action.

As we continuously work with our partners to add support for more patterns, we'll update the "Validity check" column in our documented supported patterns list.

auto check for validity checkbox in settings

See more
View more changes