GitHub can now tell you if you ever leak any secrets in your code

GitHub’s secret scanning alert feature, which was launched in public beta format in December 2022, is now generally available for free across all public repositories.

In a blog post, the developer platform noted that 70,000 public repositories had turned on secret scanning alerts during the beta, and so the full release will be welcome news to many of developers worldwide.

GitHub says that you can turn on the feature across public repositories that you own to help notify you of leaked secrets in code, issues, description, and comments.

GitHub secret scanning

The feature works with over 100 service providers in the GitHub Partner Program which sees the company notifying users and partners upon detecting leaked secrets. 

“With secret scanning alerts enabled, you’ll now also receive alerts for secrets where it’s not possible to notify a partner – for example, if self-hosted keys are exposed – along with a full audit log of actions taken on the alert,” Github noted.

The platform noted an experienced developer who had used the tool to scan 14,000 public GitHub Action repositories, resulting in the finding of more than 1,000 secrets, showing how easy it can be to miss them, thus the significance of the tool.

A support document explains when a developer may want to use the tool:

“If you check a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with your privileges.”

These can include anything from API keys to passwords, authentication tokens, and any other sensitive information. 

‘Secret scanning’ can be found under ‘Settings’ > ‘Code security and analysis’ > ‘Security’, where it can be enabled or disabled.