GitHub can now tell you if you ever leaked any secrets in your code
GitHub’s Secret Scan Alert Feature, That’s Launching in public beta format in December 2022is now widely available for free on all public repositories.
in one blog post (opens in a new tab)The developer platform notes that 70,000 public repositories have secret scan alerts enabled during beta and so the full release will be good news for many developers worldwide. .
GitHub says you can enable the feature on public repositories you own to help notify you of leaked secrets in code, issues, descriptions, and comments.
GitHub Secret Scan
The feature works with more than 100 service providers in the GitHub Partner Program, which indicates the company will notify users and partners when it detects leaked secrets.
“When secret scan alerts are enabled, you will now also receive warnings about secrets that could not be communicated to a partner – for example, if a self-hosted key is exposed – along with a full audit log about actions taken on the alert,” noted Github.
The platform credits an experienced developer who used the tool to scan 14,000 public GitHub Action repositories, resulting in the discovery of more than 1,000 secrets, showing how easy it is to miss them, hence the importance of tools.
ONE supporting document (opens in a new tab) explain when a developer might want to use this tool:
“If you check out a secret in the archive, anyone with read access to the archive can use that secret to access an external service with your privileges.”
These can include anything from API keys to passwords, authentication tokens, and any other sensitive information.
You can find ‘Secret Scan’ in ‘Settings’ > ‘Code Security and Analysis’ > ‘Security’, where the feature can be turned on or off.