GitHub Advanced Security customers can now sort and filter their list of custom patterns at the repository, organization, and enterprise levels. This upgrade to the experience supports admins who need to manage dozens, or hundreds, of custom patterns.
Learn more about custom patterns for GitHub Advanced Security
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Zuplo to scan for their API keys connected to a Zuplo API Gateway, which allows users to add API key authentication to their APIs. We'll forward access tokens found in public repositories to Zuplo, who follow customer preference to either notify their customers via email or automatically revoke the token. More information about Zuplo API tokens can be found here.
We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets and prevent Zuplo keys from accidental leaks with push protection.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.
We have partnered with Sendinblue to scan for their API keys, which can be used to send emails. We'll forward API keys we find in public repositories to Sendinblue, who will review the detection then notify their users via email.
We continue to welcome new partners for public repo secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
GitHub Advanced Security customers can now use cursors to paginate over alert results they retrieve via the repository and organization level REST APIs.
Paginating with cursors, using the new before and after query parameters, can help assure data consistency and improve response times. To receive an initial cursor on your first request, include an empty "before" or "after" query string in your API call.
Learn more about the secret scanning REST API
Learn more about private repository scanning with Advanced Security
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.
We have partnered with SendGrid to scan for their access tokens, which allow users to retrieve account information and statistics. We'll forward access tokens found in public repositories to SendGrid. SendGrid will then either suspend the detected token or send it to their fraud team for manual review, depending on the token scope. More information about SendGrid API tokens can be found here.
GitHub Advanced Security customers can also scan for SendGrid's API keys and block them from entering their private and public repositories via secret scanning’s push protection feature.
Learn more about secret scanning
Partner with GitHub on secret scanning
GitHub Advanced Security customers can now view bypasses of secret scanning's push protection in the enterprise and organization audit logs. The GitHub REST API and webhooks now also contain bypass information.
GitHub Advanced Security customers can now perform dry runs of their custom patterns when editing a pattern. Dry runs allow admins to understand a pattern's impact across an organization and to hone the pattern before publishing and generating alerts.
Admins can compose a new pattern or edit a published pattern then 'Save and dry run' to retrieve results from their selected repositories. Scan results will appear on screen as they're detected, but admins can leave the page and later come back to their saved pattern's dry run results.
For more information:
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.
We have partnered with redirect.pizza, a domain redirection service, to scan for their API tokens and help secure our mutual users. Their API keys allow users to create, update, and delete redirects. We'll forward API tokens found in public repositories to redirect.pizza, who will notify the user by email and automatically revoke the token. More information about redirect.pizza’s API tokens can be found here.
GitHub Advanced Security customers can also scan for redirect.pizza API keys and block them from entering their private and public repositories via secret scanning’s push protection feature.
GitHub Advanced Security customers can now use sort and direction parameters in the GitHub REST API when retrieving secret scanning alerts. API users can sort based on the alert’s created or updated fields. The new parameters are available at the enterprise, organization, and repository level API endpoints.
Learn more about the secret scanning REST API
Learn more about private repository scanning with Advanced Security
The enterprise and organization level audit logs now record an event when a secret scanning alert is created, closed, or reopened. This data helps GitHub Advanced Security customers understand actions taken on their secret scanning alerts for security and compliance audits.
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.
We have partnered with DigitalOcean to scan for their API keys, which allow users to manage Droplets and resources. We'll forward API keys found in public repositories to DigitalOcean, who will revoke valid keys and email the affected user.
GitHub Advanced Security customers can also scan for DigitalOcean API keys and block them from entering their private and public repositories via secret scanning’s new push protection feature.
GitHub Advanced Security customers can now dry run custom secret scanning patterns at the enterprise level (in addition to the organization and repository levels previously available). Dry runs allow admins to understand a pattern's impact across the entire enterprise and hone the pattern before publishing and generating alerts.
Admins can compose a pattern then 'Save and dry run' to retrieve results from their selected repositories. Scan results will appear on screen as they're detected, but admins can leave the page and later come back to their saved pattern's dry run results.
For more information:
Organizations with GitHub Advanced Security can now prevent secrets leaked in code committed via the command line and the GitHub web editor with secret scanning’s push protection feature.
For repositories with push protection enabled, GitHub will block any pushes where a high-confidence token is detected in a commit made via the web editor. Developers can bypass the block by providing details of why the secret needs to be committed via the UI.
Push protection scans for tokens that can be detected with a very low false positive rate. If you run a service that issues tokens we’d love to work with you to make them highly identifiable and include them in push protection. We changed the format of GitHub’s own personal access tokens last year with this in mind.
For more information:
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.
We have partnered with JD Cloud to scan for their access tokens, which are used for cloud computing services. We'll forward access tokens found in public repositories to JD Cloud, who will notify the user by email without making any changes to the tokens. Users can request support for their JD Cloud API tokens here.
We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
GitHub now protects you by scanning public repos for leaked GitHub login credentials. If you accidentally expose your username and password in code or commit metadata, we will automatically reset your password and email you.
We'd like to thank Will Deane, Director and Principal Consultant at ASX Consulting, and Aaron Devaney, Principal Security Consultant at MDSec, for surfacing the threat of exposed passwords and helping us secure all our users via GitHub's Security Bug Bounty program. You can read more from the researchers here.
For more information:
GitHub Advanced Security customers can now dry run custom secret scanning patterns at the organization (and repository) level. Dry runs allow admins to understand a pattern's impact across an organization and hone the pattern before publishing and generating alerts.
Admins can compose a pattern then 'Save and dry run' to retrieve results from their selected repositories. Scan results will appear on screen as they're detected, but admins can leave the page and later come back to their saved pattern's dry run results. Enterprise-level dry runs will follow shortly.
For more information:
The audit log now includes events associated with secret scanning custom patterns. This data helps GitHub Advanced Security customers understand actions taken on their repository, organization, or enterprise level custom patterns for security and compliance audits.
New events will be added to the audit log when a custom pattern is created, updated, or deleted.
GitHub Advanced Security customers using secret scanning can now opt to receive a webhook each time a secret is detected in a new location. The secret_scanning_alert_location webhook event includes location details, like the commit SHA, and the associated alert for the detection. A location is created for every new file path containing the detected secret.
Organizations with GitHub Advanced Security can now prevent secret leaks with secret scanning’s new push protection feature.
For repositories with push protection enabled, GitHub will block any pushes where a high-confidence token is detected. Developers can bypass the block by providing details of why the secret needs to be committed via a web UI.
Push protection scans for tokens that can be detected with a very low false positive rate. If you run a service that issues tokens we’d love to work with you to make them highly identifiable and include them in push protection. We changed the format of GitHub’s own personal access tokens last year with this in mind.
For more information:
GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, we help protect users from data leaks and fraud associated with exposed data.
We have partnered with Supabase to scan for their API keys, which allow users to update and access database changes. We'll forward the API keys that we find in public repositories to Supabase, who will automatically revoke the detected secrets and notify the affected users.
We continue to welcome new partners for public repository secret scanning. GitHub Advanced Security customers can also scan their private repositories for leaked secrets.
