- GitHub now offers free secret scanning alerts that scan code, description, and other parts, which can be enabled manually.
- A DevOps consultant and trainer who enabled secret scanning on roughly 14,000 repositories reported finding about a thousand secrets, and he even claimed to have discovered secrets in his own code.
- Secret scanning alerts can be enabled by any owner or administrator of a public repository, and enterprise administrators and organization owners can also bulk-enable alerts for numerous repositories.
Back in December, the GitHub team launched the beta version of the free secret scanning alerts across public repositories and now it is generally available and free for all public repositories. When you enable secret scanning alerts across all of your repositories, including code, problems, descriptions, and comments, they will warn you of any secrets that have been compromised. GitHub secret scanning will alert its partners if any of their secrets have been leaked as well as when there isn’t a partner to alert, such as if self-hosted keys are exposed.
No secrets leaked
Around a thousand secrets were found by a DevOps consultant and trainer who enabled secret scanning on about 14,000 repositories. He said:
« My research proves the point to why everyone should have secret scanning enabled. I have researched 14 thousand public GitHub Action repositories and found over one thousand secrets in them! Even though I train a lot of folks on using GitHub Advanced Security, I found secrets in my own repositories through this. Despite multiple years of experience, it also happens to myself. That’s how easy it is to include secrets by mistake. »
The goal of secret scanning is to prevent unintentional exposure of sensitive information in public repositories by identifying and alerting if potential secrets are found, which reduces the chances of mistakes that could be costly. By doing this, GitHub makes sure that the problems are stopped before they can create dire consequences.
How to get the alerts
Any owner or admin of a public repository can enable secret scanning alerts. Enterprise administrators and organization owners can also bulk-enable alerts for multiple repositories. You can do this by going to the Settings tab and clicking on Code security and analysis under Security. Find Secret scanning and click Enable.
