Microsoft-owned GitHub announced it’s rolling out secret scanning to all free public repositories on the platform, for free. Secret scanning notifies developers whenever it detects exposed secrets, such as user credentials and application tokens, within their code.
The feature was only available for paid enterprise users as part of the GitHub Advanced Security suite, but will be offered to all users by the end of January.
“At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program,” reads GitHub’s announcement. “We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.”
The company will roll out secret scanning gradually as a beta version for public repositories. Once the feature is available, you can enable it from the “Code security and analysis” section of your repository’s settings menu.
Detected secrets can be found by navigating to your repository’s ”Security” tab and heading to the “Secret scanning” category in the left side panel. The detected secrets list also contains the secret’s location and suggested mitigation steps.
Aside from secret scanning, GitHub plans to enforce mandatory 2FA throughout the platform. 2FA will roll out gradually, starting in March 2023, and will apply to “distinct groups of users,” such as:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024