Leaked a secret? Check your GitHub alerts…for free
GitHub now allows you to track any leaked secrets in your public repository, for free. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Exposed secrets and credentials are the most common cause of data breaches and often go untracked.1 With an average of 327 days to identify, these data beaches have shown that credential leaks can lead to severe consequences. Still, organizations struggle to detect leaks at scale and take prompt action to fix any exposed secrets.
At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program. We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.
Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free.
Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed. You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert.
By using secret scanning alerts in your public repositories, you can help prevent secret exposures and build on open source with confidence.
With secret scanning we found a ton of important things to address. On the AppSec side, it’s often the best way for us to get visibility into issues in the code.
How to get started
We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023. If you want earlier access, or have any questions or feedback, please submit a request in our code security discussion.
Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings. You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.
You can find more information on how to enable secret scanning alerts for your repository in our documentation.
Become a GitHub secret scanning partner
If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program. We currently support 200+ patterns and 100+ partners. To get started, please email secret-scanning@github.com.
- IBM “Cost of a Data Breach 2022” https://www.ibm.com/reports/data-breach ↩
Tags:
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.