Leaked a secret? Check your GitHub alerts…for free
GitHub now allows you to track any leaked secrets in your public repository, for free. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Exposed secrets and credentials are the most common cause of data breaches and often go untracked.1 With an average of 327 days to identify, these data beaches have shown that credential leaks can lead to severe consequences. Still, organizations struggle to detect leaks at scale and take prompt action to fix any exposed secrets.
At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program. We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.
Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free.
Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed. You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert.
By using secret scanning alerts in your public repositories, you can help prevent secret exposures and build on open source with confidence.
How to get started
We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023. If you want earlier access, or have any questions or feedback, please submit a request in our code security discussion.
Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings. You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.
You can find more information on how to enable secret scanning alerts for your repository in our documentation.
Become a GitHub secret scanning partner
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.
- IBM “Cost of a Data Breach 2022” https://www.ibm.com/reports/data-breach ↩
Tags:
Written by
Related posts
The second half of software supply chain security on GitHub
Learn about a community-developed framework for how to think about this problem holistically and how to use GitHub, particularly, to improve the security in the second half of your software supply chain.
Cybersecurity spotlight on bug bounty researcher @imrerad
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@imrerad!
Kicking off Cybersecurity Awareness Month: Researcher spotlights and additional incentives!
For this year’s Cybersecurity Awareness Month, GitHub’s Bug Bounty team is excited to offer some additional incentives to security researchers!