GitHub has partnered with the Python Package Index (PyPI), a third-party software repository for the Python programming language, to provide a new service aimed at protecting against leaked PyPI API tokens. This initiative starts immediately with GitHub hunting for vulnerabilities.
GitHub announced that starting on March 22, 2021, they would begin scanning all commits to public repositories for exposed PyPI API tokens. Once tokens are discovered, they will be forwarded to PyPI for automatic disablement. Token owners will then be notified of the action.
This new process, which GitHub notes takes a matter of seconds to process from end-to-end, works to secure one of 35 tokens that the company has scanned for to date. This overall initiative for secret scanning at GitHub began back in 2018.
