secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Canva to scan for their tokens to help secure our mutual users in public repositories. Canva tokens enable users to perform authentication for their Canva Connect API integrations. GitHub will forward any exposed tokens found in public repositories to Canva, who will then rotate the token and notify the user about the leaked token. Read more information about Canva tokens.

GitHub Advanced Security customers can also scan for and block Canva tokens in their private repositories.

See more

In the secret scanning list view, you can now apply a filter to display alerts that are the result of having bypassed push protection. This filter can be applied at the repository, organization, and enterprise levels from the sort menu in the list view UI or by adding bypassed:true to the search bar.

See more

GitHub Advanced Security users can now use the REST API to enable or disable secret scanning validity checks for a repository, organization, or enterprise. Validity checks retrieve a status for supported tokens from their relevant partner (active, inactive, or unknown). This status is displayed in the secret scanning alert view and the REST API.

See more

Secret scanning will now use AI to detect unstructured passwords in git content and generate an alert. Alerts for passwords appear in a separated tab from regular secret scanning alerts.

Generic secret detection is available for repositories with a GitHub Advanced Security license. The feature is in a limited beta and access will be granted through a waitlist.

screenshot of a secret scanning alert for an AI-detected password

See more

Secret scanning has a new, AI-powered regular expression generator for custom patterns. Within the existing custom patterns page, GitHub Advanced Security users can launch a generative AI experience where you input a text description of what pattern you would like to detect, include optional example strings that should be detected, and get matching regular expressions in return.

The generator is in a limited beta and access will be granted through a waitlist.

screenshot of the regular expression generator

See more

Secret scanning will now detect the following non-provider patterns:

  • HTTP basic authentication header
  • HTTP bearer authentication header
  • MongoDB connection string
  • MySQL connection string
  • Postgres connection string
  • OpenSSH private key
  • PGP private key
  • RSA private key

Detection of these patterns must be enabled within a repository or organization’s security settings by checking the box next to “Scan for non-provider patterns.” Resulting secrets will appear in a new, separate tab on the secret scanning alert list called “Other.”

screenshot of secret scanning alerts showing a tab called Other with alerts for five non-provider patterns

Detection of non-provider patterns is currently in beta and is available for enterprises with a GitHub Advanced Security license only. Additional patterns will be added throughout the beta.

See more

GitHub Advanced Security users can now filter their secret scanning alerts by validity in the UI at the repository, organization, and enterprise level. Valid statuses are active, inactive, or unknown. Validity checks must be enabled for the repository, organization, or enterprise.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Onfido to scan for their tokens to help secure our mutual users in public repositories. Onfido tokens allow developers to interact with Onfido's API in order to integrate secure and reliable identity verification solutions into their applications and services, helping to enhance user onboarding processes and protect against fraud. GitHub will forward any exposed tokens found in public repositories to Onfido, who will then notify the customer about the leaked token. Read more information about Onfido API tokens.

GitHub Advanced Security customers can also scan for and block Onfido tokens in their private repositories.

See more

GitHub Advanced Security users can now use the REST API to retrieve the validity status of a secret scanning token and retrieve all tokens of a particular validity status. The API will return the status of the token as of the last validity check. Valid statuses are active, inactive, or unknown. Validity checks must be enabled for the enterprise, organization, or repository.

See more

Secret scanning automatically detects leaked secrets across all public packages on the npm registry. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact the committer directly. Package maintainers will not receive secret scanning alerts for these detections.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Authress to scan for their service client access keys and their user API tokens to help secure our mutual users in public repositories. Authress access keys allow users to secure applications and platforms through machine-to-machine authentication and they enable granular resource-based authorization. GitHub will forward any exposed access keys found in public repositories to Authress, who will automatically revoke the exposed access key, create an audit trail message that can be ingested by SIEM technologies, and send an email alert to your Authress account admin. Read more information about Authress API access keys.

All users can scan for and block Authress keys from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Authress keys in their private repositories.

See more

GitHub secret scanning protects users by searching repositories for known types of secrets such as tokens and private keys. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Mercury to scan for their license keys and help secure our mutual users on public repositories. Mercury tokens allow users to automate your banking needs through their API. GitHub will forward tokens found in public repositories to Mercury, who will then revoke them, keeping your account safe. Read more information about Mercury tokens.

All users can scan for and block Mercury tokens from entering their public repositories for free with push protection. GitHub Advanced Security customers can also scan for and block Mercury tokens in their private repositories.

See more