- GitHub begins the gradual public beta rollout of Secret Scanning for public repositories today and expects all users to have the feature by the end of January 2023.
- Secret Scanning scans the entire Git history on all branches present in the GitHub repository for secrets, even if the repository is archived.
- Users can enable Secret Scanning alerts once it is available in the repository’s settings under “Code security and analysis” settings.
The Microsoft-owned company, Github is making its Secret Scanning service available for all public GitHub repositories for free. Until now, it was only available to users who paid for GitHub Advanced Security. The feature detects secrets, for example, keys and tokens, that have been checked into private repositories.
No more leaked secrets
From now on, GitHub will automatically alert users about their leaked secrets. The feature can be enabled in the GitHub’s repository’s settings under Code security and analysis settings. Users can see any detected secrets by navigating to the Security tab of the repository and selecting Secret Scanning in the side panel underneath Vulnerability alerts. The list of detected secrets reveals the compromised secret, its location, and suggested action for remediation.
The gradual public beta rollout of the feature starts today and it is expected to be completed by the end of January 2023. GitHub said,
« Secret Scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner, for example, if the keys to your self-hosted HashiCorp Vault are exposed. You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert. »