The new service allows developers to find exposed secrets and credentials.

In a move to secure the global software supply chain, GitHub plans to allow developers to scan their repositories for exposed secrets and credentials for free. The new service was announced in a Tweet this week.

Mariam Salakian (Senior Product Manager) and Zain Malik (Senior Product Marketing Manager) described the scanning service in a blog post. “Exposed secrets and credentials are the most common cause of data breaches and often go untracked”, they explained. “With an average of 327 days to identify, these data beaches have shown that credential leaks can lead to severe consequences.”

GitHub partners with service providers to flag leaked credentials on all public repositories through its secret scanning partner program. The site claims it can scan repositories for 200+ token formats and works with relevant partners to help protect mutual customers. “In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens”, Salakian and Malik said.

Here’s how it works

In their post, the two GitHub managers explained how the new secret scanning process will work. “Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories.”

Users will also receive alerts for secrets in the event that a partner can’t be notified. An example of such an instance would be when the keys to the user’s self-hosted HashiCorp Vault are exposed. Users will always be able to track alerts, drill deeper into the leak’s source and audit actions taken on the alert.

The public beta rollout of secret scanning for public repositories has started this week. GitHub expects all users to have the feature by the end of January 2023.