GitHub has announced it will be bringing its secret scanning capability to more users in a bid to help public repository admins detect leaked secrets in their repositories before a breach happens.
The launch forms part of the secret scanning partner program, which was set up to notify more than 100 service providers of token exposure in public repositories.
The function was previous only available to organizations with GitHub Advanced Security, but it will now be available to admins of all public repositories.
Github secret scanning
Github claims to scan for over 200 token formats (like API keys and authentication tokens) that would usually take an average of 327 days to identify, and has already notified its partners of 1.7 million potential secret exposures in public repositories.
Rollout has already begun in beta form, and GitHub hopes that all of its members will have access by the end of January 2023. The company has also pointed at a discussion board (opens in new tab) where users can request early access or discuss the product in more detail.
“Once secret scanning alerts are available on your repository you can enable them in your repository’s settings under “Code security and analysis” settings,” an entry on the company’s blog (opens in new tab) noted.
“You can see any detected secrets by navigating to the “Security” tab of your repository and selecting “Secret scanning” in the side panel underneath “Vulnerability alerts.” There, you will see a list of any detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested action for remediation.”
GitHub 2FA
With an emphasis on its commitment to security, GitHub has also announced that it will require all users who contribute code to set up two-factor authentication (2FA) on their accounts by the end of 2023, which will affect an estimated 94 million users.
A select group of users will first get notified of this mandatory verification in March 2023, which will provide a basis for evaluation before GitHub pushes it to its entire user base.
