GitHub brings free secret scanning to all public repos
It’s not a good idea to hardcode security credentials in source code. This is something that every developer knows. It happens, and the consequences can be severe. GitHub’s secret scanning service was only available to enterprise users who had paid for it. GitHub Advanced SecurityHowever, starting today, the Microsoft-owned company makes its secrets scanning service free to all public GitHub repos.
The company notified its partners in 2022. secret scanning partner program There were more than 1.7 million secrets that could have been exposed in public repositories. The service scans repositories looking for more than 200 token formats. It then alerts partners to potential leaks. You can also define your own regex patterns.
Postmates staff security engineer David Ross said that secret scanning revealed a lot of important issues that needed to be addressed. “AppSec is often the best way to see code issues.
If you host your code on GitHub the company will notify you directly about any leaked secrets in that code. This means you will be notified of secrets that aren’t shared with a partner.
To use the service, you must enable it in your GitHub security settings. The rollout of this service will take place slowly and will not be available for all users until January 2023.
GitHub’s tool is not the only one that can scan for leaked secrets. Open source tools such as Gitleaks (which can be integrated with GitHub actions) as well as a plethora security companies like Nightfall CheckPoint’s SpectralAlthough their services are not limited to secret scanning, they are often geared towards enterprises.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.