GitHub announced that its Secret Analysis Alerts service is now generally available for all public repositories and can be enabled to detect leaks of secrets across an entire release history.
Secrets are sensitive data accidentally added to GitHub repositories, including API keys, account passwords, authentication tokens, and other confidential data that can allow attackers to perform security breaches or access non-public data.
Threat actors typically search public GitHub repositories for authentication secrets to breach networks, steal data, or impersonate the company in their own attacks.
In December 2022, GitHub has started rolling out a beta a free secret scan feature for all public repositories that scans over 200 token formats to help developers detect accidental public exposure of sensitive data. Since then, 70,000 public repositories have enabled the new feature.
Today, GitHub announced that the service is now generally available and all owners/admins of public repositories can enable secret scan alerts to secure their data.
“Starting today, the GitHub Secret Scan Alert experience is generally available and free for all public repositories,” it reads. Announcing GitHub.
“You can enable secret scan alerts in all repositories you own to notify you of secret leaks in your repository’s full history, including code, issues, description, and comments.”
In addition to notifying repository owners of leaked secret incidents, GitHub will continue to notify its 100+ secret digitization partners secrets exposed so they can revoke the authentication token and notify their clients.
If an affected partner cannot be reached, alerting the administrator should be sufficient to ensure that exposed secrets are removed from public repositories.
The code hosting platform uses the example of DevOps consultant and trainer @rajbos to highlight the power of secret scanner and alerts. The developer says it has enabled the feature on 13,954 public GitHub Action repositories and found secrets on 1110 of them (7.9%).
“Even though I train a lot of people on how to use GitHub Advanced Security, I’ve found secrets in my own repositories through it,” admits Rob Bos.
“Despite many years of experience, it happens to me too. That’s how easy it is to include secrets by mistake.”
Any GitHub user administering a public repository can easily enable secret scan alerts by opening the “Settings” tab, by clicking the “Security and code analysis” under the Security section, then clicking “Enable” on “Secret Scan” at the bottom of the page.
Check GitHub Documentation for more information on how Secret Scan works and how you can get the most out of the new feature.