GitHub will now allow anyone to scan exposed secrets, such as credentials or auth tokens, from any public repository on the code hosting platform.
Organizations can use secret scanning as a security measure to prevent the accidental disclosure of certain types of secrets.
The system works using matching patterns defined by service providers and partners. If a match triggers by a partner pattern, each match will be reported in the Security tab.
Previously, secret scanning was available only to orgs that used GitHub Enterprise Cloud and had a GitHub Advanced Security licence.
GitHub scans repository (including API key, authentication tokens and access tokens as well management certificates, credentials, credentials, private keys and secret keys).
The company stated that it has issued more than 1.7 million alerts about potential secrets in public repositories since the beginning of the year.
“Today we are starting to rollout secret scanning to all public repositories within the GitHub community for free,” GitHub says.
Mariam Sulakian, Zain Malik spoke on Thursday.
We’ll start our public beta rollout for secret scanning public repositories now and we expect all users will have it by January 2023.”
Once enabled in a repository, GitHub will notify developers about leaked code. This allows organizations to quickly track leaks and identify the source. Organizations can also take swift action to stop any fraudulent use of secrets accidentally committed to a public repos.
You must follow these steps to enable secret scanning alerts on public repositories.
- Navigate to GitHub.com and go directly to the repository’s main page.
- Click the “Settings” button under your repository name.
- Click “Code security analysis and protection” in the “Security” section.
- Scroll to the bottom and click on “Enable Secret Scanning”. You will see the “Disable” button if secret scanning has been enabled in your repository.
page contains detailed information about how to enable secret scan for your repositories.
GitHub announced in April that it had expanded its secrets scanning capabilities to GitHub Advanced Security customers to , and protect credentials from accidental exposure before committing code remotely.
As BleepingComputer previously reported, exposed credentials and secrets led to large-scale breaches.
Organizations using GitHub can enable secrets scanning to improve supply chain security and protect themselves against accidental leaks.