GitHub brings free secret scanning to all public repositories

News
By published

GitHub looks to help stop security breaches before they happen

GitHub security community
(Image credit: GitHub)

GitHub has announced it will be bringing its secret scanning capability to more users in a bid to help public repository admins detect leaked secrets in their repositories before a breach happens.

The launch forms part of the secret scanning partner program, which was set up to notify more than 100 service providers of token exposure in public repositories. 

The function was previous only available to organizations with GitHub Advanced Security, but it will now be available to admins of all public repositories.

Github secret scanning

Github claims to scan for over 200 token formats (like API keys and authentication tokens) that would usually take an average of 327 days to identify, and has already notified its partners of 1.7 million potential secret exposures in public repositories.

Rollout has already begun in beta form, and GitHub hopes that all of its members will have access by the end of January 2023. The company has also pointed at a discussion board where users can request early access or discuss the product in more detail.

“Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings," an entry on the company’s blog noted.

"You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.”

Read more

> These are the best malware removal tools around

> GitHub launches Copilot for businesses

> Thousands of GitHub repositories are littered with malware

GitHub 2FA

With an emphasis on its commitment to security, GitHub has also announced that it will require all users who contribute code to set up two-factor authentication (2FA) on their accounts by the end of 2023, which will affect an estimated 94 million users.

A select group of users will first get notified of this mandatory verification in March 2023, which will provide a basis for evaluation before GitHub pushes it to its entire user base.

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!