GitHub can now tell you if you ever leak any secrets in your code
>
GitHub’s secret scan alerts feature, which launched in public beta format in December 2022, is now generally available for free in all public repositories.
In a blog post (opens in new tab)the developer platform noted that 70,000 public repositories had secret scan alerts enabled during the beta, and so the full release will be welcome news to many developers around the world.
GitHub says you can enable the feature in public repositories you own to notify you of leaked code secrets, issues, descriptions, and comments.
Scan GitHub secret
The feature works with over 100 service providers in the GitHub partner program, with the company notifying users and partners when leaked secrets are detected.
With secret scan alerts enabled, you will also now receive alerts for secrets where it is not possible to notify a partner – for example if self-hosted keys are released – along with a full audit log of actions taken on the alert have been undertaken.” Github noticed.
The platform noticed an experienced developer who had used the tool to scan 14,000 public GitHub Action repositories, resulting in the discovery of over 1,000 secrets, demonstrating how easy it can be to miss them, hence the significance of the tools.
a supporting document (opens in new tab) explains when a developer would want to use the tool:
“If you check in a secret to a repository, anyone who has read access to the repository can use the secret to access the remote service with your privileges.”
These can be anything from API keys to passwords, authentication tokens, and other sensitive information.
‘Secret scanning’ can be found under ‘Settings’ > ‘Code protection and analysis’ > ‘Security’, where it can be enabled or disabled.