The service is designed to detect leaked secrets across the entire publishing history of a repository, including sensitive data such as API keys, account passwords, authentication tokens, and other confidential information attackers can use to breach networks, steal data, or impersonate a company.
According to GitHub, threat actors commonly search for authentication secrets in public repositories to carry out malicious activities. Since December 2022, the platform has rolled out a beta version of its free secret scanning feature to all public repositories.
The feature scans for over 200 token formats to help developers find accidental public exposure of sensitive data and has been used by 70,000 public repositories.
With general availability, all public repo owners and admins can enable alerts to secure their data. The alerts will notify repository owners of leaked secret incidents and over 100 secret scanning partners of exposed secrets so that they can revoke the authentication token and notify their customers. In cases where it is impossible to reach a concerned partner, the alert to the admin should be enough to ensure the exposed secrets are removed from the public repositories.
GitHub cites the example of DevOps Consultant and Trainer @rajbos to demonstrate the power of the secret scanner and alerts. The developer enabled the feature on 13,954 public GitHub Action repositories and found secrets on 1110 of them (7.9%).
“Even though I train a lot of folks on using GitHub Advanced Security, I found secrets in my own repositories through this,” admitted Rob Bos. “Despite multiple years of experience, it also happens to myself. That’s how easy it is to include secrets by mistake.”
How to enable the feature?
To enable secret scanning alerts, any GitHub user administrating a public repository can easily do so by opening the “Settings” tab, clicking on the “Code security and analysis” option under the Security section, and then clicking “Enable” on “Secret Scanning” at the bottom of the page.
Overall, GitHub’s secret scanning alerts service is essential for developers to safeguard their sensitive information and prevent malicious activities. With its availability in all public repositories, developers can have peace of mind knowing that they can easily detect and remove any potential threats to their data.