secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

We are changing how you receive notifications of secret scanning alerts. Previously, to receive secret scanning alert notifications, you had to watch a repository with "All activity" or "Security alerts" and enable Dependabot email alerts to receive notifications.

Beginning March 16, here are the steps you need to take to continue to receive notifications from secret scanning:

  1. (No change required) Watch repositories of interest by choosing "All activity" or "Security alerts". This help you choose what events GitHub will notify you about.
  2. (Action needed) In your user notification settings, choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

watching settings

See more

You can now enable secret scanning alerts on all your personal public repositories from your account's code security and analysis settings.

As before, you can also enable secret scanning alerts on any individual public repository or on all public repositories within an organization or cloud enterprise.

Secret scanning is free on public repositories, and available as part of GitHub Advanced Security on private repositories.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with WakaTime to scan for their tokens and help secure our mutual users on public repositories. WakaTime tokens allow users to programmatically access their WakaTime code statistics. GitHub will forward access tokens found in public repositories to WakaTime, who will immediately revoke the leaked token and email the token's owner with instructions on next steps. You can read more information about WakaTime tokens here.

GitHub Advanced Security customers can also scan for WakaTime tokens and block them from entering their private and public repositories with push protection.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Persona to scan for their API keys and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Persona API keys allow users to create, update, and interact with their identity-related data. GitHub will forward API keys found in public repositories to Persona, who will notify affected customers and work with them to rotate their API keys. You can read more information about Persona API keys here.

GitHub Advanced Security customers can also scan for Persona API keys and block them from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Twilio Segment to scan for their tokens and help secure our mutual users on all public repositories, and private repositories with GitHub Advanced Security. Twilio Segment tokens allow users to programmatically manage their workspaces. GitHub will forward access tokens found in public repositories to Twilio Segment, who will immediately revoke the token and notify workspace owners. You can learn more about Twilio Segment tokens here.

GitHub Advanced Security customers can also block Twilio Segment tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Secret scanning users can now view the validity of detected GitHub tokens by clicking into the related alert's UI page. The alert page will tell you whether the GitHub token is still active and able to be used.

Secret scanning alerts are available for free on public repositories and as part of GitHub Advanced Security on private repositories.

See more

GitHub, the Rust Foundation, and the Rust Project are collaborating to help protect you from leaked crates.io keys.

From today, GitHub will scan every commit to a public repository for exposed crates.io keys. We will forward any tokens we find to crates.io, who will automatically disable the tokens and notify their owners. The end-to-end process takes only a few seconds.

Crates.io is the latest GitHub secret scanning integrator; since 2018, GitHub has partnered with over 100 token issuers to help keep our mutual customers safe. We continue to welcome new partners for public repository secret scanning. In addition, GitHub Advanced Security customers can scan their private repositories for leaked secrets.

We’d like to thank the crates.io team, the staff at the Rust Foundation, and the work from AWS’ Dan Gardner on this GitHub pull request that made our collaboration with Rust possible.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

GitHub Advanced Security customers can view an event in their organization or enterprise audit log when an admin enables or disables push protection for a custom pattern at the repository, organization, or enterprise level.

See more

As of last month, GitHub Advanced Security customers can enable push protection for push protection for any custom pattern defined at the repository or organization level. Now, customers can also protect patterns that they've defined at the enterprise level.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Tencent Weixin to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Tencent Weixin tokens allow users to verify the Weixin Official Accounts and Mini Programs developers, obtain sensitive information on business applications and can be used to verify merchant identities.

GitHub will forward access tokens found in public repositories to Tencent Weixin, who will notify affected users. Tencent Weixin encourages users to delete leaked API tokens on GitHub and to create a new token. More information about Tencent Weixin tokens can be found here.

Learn more about secret scanning
Partner with GitHub on secret scanning

See more

Secret scanning alerts for third party API key detections now include a link to relevant documentation provided by the service provider, where available. These links are intended to help users better understand detections and take appropriate action.

The links will appear in the alert view for all repositories with secret scanning enabled. You can enable secret scanning on your public repositories and any private repository with GitHub Advanced Security. If you have feedback on any provided links, please write us a note in our code security discussion.

example alert with provider docs

For more information:

See more

Previously, GitHub Advanced Security customers could enable push protection for all patterns supported by default.

Now, admins can also enable push protection for any custom pattern defined at the repository or organization level. Push protection for enterprise-level custom patterns will come in January.

blocked custom pattern

See more

Previously, only organizations with GitHub Advanced Security could enable secret scanning's user experience on their repositories. Now, any admin of a public repository on GitHub.com can detect leaked secrets in their repositories with GitHub secret scanning.

The new secret scanning user experience complements the secret scanning partner program, which alerts over 100 service providers if their tokens are exposed in public repositories. You can read more about this change and how secret scanning can protect your contributions in our blog post.

See more

Enterprises with GitHub Advanced Security can now enable secret scanning and push protection on all their organizations using a single call to an enterprise-level REST API endpoint.

You can also use the enterprise API to set a default custom link that will appear on a push protection block.

This new endpoint supplements the existing enterprise enablement settings in the UI and the repository-level and organization-level REST API enablement endpoints.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Telnyx to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security. Telnyx tokens allow users to manage their usage and resources on the Telnyx communications and connectivity platform.

GitHub will forward access tokens found in public repositories to Telnyx, who will immediately reach out to the user and work to swiftly rotate the key. More information about Telnyx tokens can be found here.

GitHub Advanced Security customers can also block Telnyx tokens from entering their private and public repositories with push protection.

Learn more about secret scanning
Learn more about protecting pushes
Partner with GitHub on secret scanning

See more