Leaked a secret? Check your GitHub alerts…for free
GitHub now allows you to track any leaked secrets in your public repository, for free. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Exposed secrets and credentials are the most common cause of data breaches and often go untracked.1 With an average of 327 days to identify, these data beaches have shown that credential leaks can lead to severe consequences. Still, organizations struggle to detect leaks at scale and take prompt action to fix any exposed secrets.
At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program. We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.
Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free.
Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed. You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert.
By using secret scanning alerts in your public repositories, you can help prevent secret exposures and build on open source with confidence.
With secret scanning we found a ton of important things to address. On the AppSec side, it’s often the best way for us to get visibility into issues in the code.
How to get started
We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023. If you want earlier access, or have any questions or feedback, please submit a request in our code security discussion.
Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings. You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.
You can find more information on how to enable secret scanning alerts for your repository in our documentation.
Become a GitHub secret scanning partner
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.
- IBM “Cost of a Data Breach 2022” https://www.ibm.com/reports/data-breach ↩
Tags:
Related posts
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.
Cybersecurity spotlight on bug bounty researcher @adrianoapj
As we wrap up Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher who participates in the GitHub Security Bug Bounty Program—@adrianoapj!
Securing the open source supply chain: The essential role of CVEs
Vulnerability data has grown in volume and complexity over the past decade, but open source and programs like the Github Security Lab have helped supply chain security keep pace.