Exposed secrets and credentials are the most common cause of data breaches and often go untracked. With an average of 327 days to identify, these data beaches have shown that credential leaks can lead to severe consequences. Still, organizations struggle to detect leaks at scale and take prompt action to fix any exposed secrets.
At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program. We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.
Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free.
Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed. You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert.
By using secret scanning alerts in your public repositories, you can help prevent secret exposures and build on open source with confidence.
We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023. If you want earlier access, or have any questions or feedback, please submit a request in our code security discussion.
Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings. You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.
You can find more information on how to enable secret scanning alerts for your repository in our documentation.
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email firstname.lastname@example.org.