GitHub is rolling out support for the free scanning of exposed secrets (such as credentials and auth tokens) to all public repositories on its code hosting platform.
Secret scanning is a security option that organizations can enable for additional repository scanning to detect accidental exposure of known types of secrets.
It works by matching patterns provided by partners and service providers or defined by the organization. Each match is reported as a security alert in the repos’ Security tab or to partners if a partner pattern triggers the match.
Previously, the secret scanning service was only available to orgs using GitHub Enterprise Cloud with a GitHub Advanced Security license.
GitHub scans repositories for more than 200 token formats (including API keys, authentication tokens, access tokens, management certificates, credentials, private keys, secret keys, and more).
Since the start of this year alone, the company said it issued over 1.7 million alerts of potential secrets exposed in public repositories.
“Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free,” GitHub’s
Mariam Sulakian and Zain Malik said on Thursday.
“We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023.”
Once enabled on a repository, GitHub will automatically notify developers of leaked secrets in code, thus allowing organizations to easily track alerts, identify a leak’s source, and quickly take action to prevent the fraudulent use of any secrets committed to a public repo by accident.
To toggle on secret scanning alerts for free public repositories, you have to go through the following steps:
On GitHub.com, navigate to the main page of the repository.
Under your repository name, click the repository “Settings” button.
In the “Security” section of the sidebar, click “Code security and analysis.”
Scroll down to the bottom of the page, and click “Enable” for secret scanning. If you see a “Disable” button, it means that secret scanning is already enabled for the repository.
In April, GitHub also announced that it expanded secrets scanning’s capabilities for GitHub Advanced Security customers to automatically block commits containing exposed secrets and prevent accidental exposure of credentials before committing code to remote repos.
Enabling secrets scanning is an easy way for organizations using GitHub to increase supply-chain security and safeguard themselves from accidental leaks.