secret-scanning

Subscribe to all “secret-scanning” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

Highnote is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Highnote to scan for their tokens and help secure our mutual users on public repositories. Highnote tokens allow users to authenticate with Highnote’s GraphQL API. GitHub will forward access tokens found in public repositories to Highnote, which will then revoke the token and work with impacted users to generate a new token. You can read more information about Highnote’s tokens here.

GitHub Advanced Security customers can also scan for Highnote tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.

See more

Aiven is a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Aiven to scan for their tokens and help secure our mutual users on public repositories. Aiven tokens allow users to interact with Aiven hosted services and the Aiven API. GitHub will forward access tokens found in public repositories to Aiven, and the Aiven Customer Success Team will contact project owners via the normal service channel and work with them to rotate and revoke the affected credentials. Aiven will not revoke credentials without prior communication and acknowledgement from the project owner. You can read more information about Aiven’s tokens here.

GitHub Advanced Security customers can also scan for Aiven tokens and block them from entering their private repositories. All users can enable push protection for public repositories, for free.

See more

Secret scanning’s push protection is available on public repositories, for free

Secret scanning's push protection feature is now generally available for all free public repositories on GitHub.com.

You can enable push protection for any public repository on GitHub.com from your repository's "Code security and analysis" settings in the UI or REST API. If you're an organization or enterprise owner, you can also also bulk-enable secret scanning.

For your repositories that are not a part of an organization, you can bulk-enable secret scanning and push protection in your personal "Code security and analysis" settings.

See more

Secret scanning’s push protection now generally available for GitHub Advanced Security

Secret scanning's push protection feature is now generally available for GitHub Advanced Security customers.

Customers can enable push protection for any private repository that has GitHub Advanced Security. Push protection can also be enabled for any public repository, for free. To bulk enable push protection, customers can visit their organization and enterprise's "Code security and analysis" settings in the UI or REST APIs.

Push protection is also available for any custom pattern defined at the repository, organization, and enterprise level. See step 11 under "Defining a custom pattern for a repository" for more details in our documentation.

See more

Secret scanning summary email for historical scans

If you are an organization or enterprise owner, you will now receive a secret scanning summary email when the historical scan completes. The email notification will tell you how many, if any, secrets were detected across all repositories within your organization or enterprise. You'll also receive a link to your security overview page for each secret, where you can view details for each detected secret.

Previously, secret scanning would send one email per repository where secrets were detected, provided that you were watching the repository and had email notifications enabled in your user settings enabled. While repository administrators will still receive an email notification per repository, organization and enterprise owners will now receive only a single notification upon the historical scan's completion.

To receive notifications:

  • For the first historical scan after you enable secret scanning, you must have email notifications enabled in your user settings. You do not need to watch any repositories to receive the secret scanning summary email.
  • For future historical scans, such as for newly added patterns, you will receive an email notification for each repository where a secret was found. You must be watching the repository where the secret was detected and have email notifications enabled in your user settings.

summary email after backfill scan

See more

Doppler is a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Doppler to scan for their tokens and help secure our mutual users on public repositories. Doppler tokens allow users to access and manage their secrets from their existing tooling and infrastructure. GitHub will forward access tokens found in public repositories to Doppler, who will revoke the tokens and email affected customers. You can read more information about Doppler tokens here.

GitHub Advanced Security customers can also scan for Doppler tokens and block them from entering their private and public repositories with push protection.

See more

Rootly is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Rootly to scan for their tokens and help secure our mutual users on public repositories. Rootly tokens allow users to authenticate against the Rootly API and create incidents programmatically. GitHub will forward access tokens found in public repositories to Rootly, who will notify workspace owners and let them revoke token within a few seconds. You can read more information about Rootly tokens here.

GitHub Advanced Security customers can also scan for Rootly tokens and block them from entering their private and public repositories with push protection.

See more

Secret scanning now supports validation checks for supported partner patterns

GitHub Advanced Security customers can now enable validity checks for supported partner patterns in their repository, organization, or enterprise level code security settings.

When you enable the checkbox in your settings, GitHub will automatically check validation for patterns on a cadence by sending the pattern to our relevant partner provider. You can use the validation status on leaked secrets to help prioritize secrets needing remediation action.

As we continuously work with our partners to add support for more patterns, we'll update the "Validity check" column in our documented supported patterns list.

auto check for validity checkbox in settings

See more

Grafana Labs is now a GitHub secret scanning partner

GitHub secret scanning protects users by searching repositories for known types of secrets. By identifying and flagging these secrets, our scans help prevent data leaks and fraud.

We have partnered with Grafana Labs to scan for their tokens and help secure our mutual users on public repositories. Grafana tokens allow users to manage all resources within Grafana installations, and Grafana Cloud tokens can be used to authorize data ingestion requests and to manage the lifecycle of stacks. GitHub will forward access tokens found in public repositories to Grafana Labs, and they will automatically revoke the token and notify affected customers. You can read more information about Grafana's various tokens below:

GitHub Advanced Security customers can also scan for Grafana tokens and block them from entering their private and public repositories with push protection.

See more

Secret scanning now detects secrets leaked historically in issues

GitHub Advanced Security customers using secret scanning can now view any secrets exposed historically in an issue's title, description, or comments within the UI or the REST API. This expanded coverage will also detect and surface secrets matching any custom pattern defined at the repository, organization, or enterprise levels.

See more

Secret scanning now shows metadata for active GitHub tokens

Users with access to secret scanning alerts can now view metadata for any active GitHub token leaked in their repositories. Metadata includes details like the token's owner, expiration date, and access permissions. With this information, security teams can assess a leak's potential impact and prioritize remedial action accordingly.

This feature builds on our previous release in January, which introduced validity checks for leaked GitHub tokens.

github

See more

Secret scanning now shows metrics for custom patterns

GitHub Advanced Security users can now view alert metrics for custom patterns at the repository, organization, and enterprise levels directly from the custom pattern's page. Custom patterns with push protection enabled also show metrics like total secrets blocked and bypassed.

We welcome feedback in our code security discussion.

custom pattern metrics

See more

Secret scanning changes to how you opt in to notifications

We announced two weeks ago that we are changing how you receive notifications for secret scanning alerts. From today, those changes are in effect.

What action should I take?

If you are a repository administrator, organization owner, security manager, or user with read access to secret scanning alerts:

  • Watch your repositories of interest by choosing "All activity" or "Security alerts." This helps you choose what events GitHub will notify you about.
  • In your user notification settings, you must choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

If you're a commit author:

As long as you are not ignoring the repository in your watch settings, commit authors always receive notifications for new secrets that are leaked. This means you receive a notification for any secret committed after an initial historical scan has run on the repository.

Learn more

See more

Secret scanning changes coming to how you opt-in to alert notifications

We are changing how you receive notifications of secret scanning alerts. Previously, to receive secret scanning alert notifications, you had to watch a repository with "All activity" or "Security alerts" and enable Dependabot email alerts to receive notifications.

Beginning March 16, here are the steps you need to take to continue to receive notifications from secret scanning:

  1. (No change required) Watch repositories of interest by choosing "All activity" or "Security alerts". This help you choose what events GitHub will notify you about.
  2. (Action needed) In your user notification settings, choose "Email" in the "Watching" section. This tells GitHub how to notify you. Secret scanning only supports email notifications at this time.

watching settings

See more

Enable secret scanning alerts on all your public repositories

You can now enable secret scanning alerts on all your personal public repositories from your account's code security and analysis settings.

As before, you can also enable secret scanning alerts on any individual public repository or on all public repositories within an organization or cloud enterprise.

Secret scanning is free on public repositories, and available as part of GitHub Advanced Security on private repositories.

See more
View more changes