Breaches attributable to credential misuse continue to affect all of us. While safeguarding credentials seems simple, the scale and interconnected nature of modern software development make it difficult. To date, GitHub has detected more than 700,000 secrets across thousands of private repositories using secret scanning for GitHub Advanced Security; GitHub also scans for our partner patterns across all public repositories (for free). Today, we’re adding the option for GitHub Advanced Security customers to prevent leaks from happening altogether by scanning for secrets before a git push is accepted.
By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether.
GitHub secret scanning’s new push protection capability embeds secret scanning in the developer workflow. To make this possible without disrupting development productivity, push protection only supports token types that can be detected accurately. Last year, we changed the format of our own secrets and started collaborating with other token issuers to drive highly identifiable patterns. Today, we’re launching with support for 69 high confidence patterns that each have a signal-to-noise ratio that developers can trust.
See secret scanning push protection in action
With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified. High-confidence secrets have a low positive rate, so security teams can protect their organizations without compromising developer experience.
We check for 100+ different token types to detect secrets. If a secret is identified, developers can review and remove the secrets from their code before pushing again. In rare cases where immediate remediation doesn’t make sense, developers can move forward by resolving the secret as a false positive, test case, or real instance to fix later.
If secret scanning push protection is bypassed, GitHub will generate a closed security alert for secrets identified as test cases or false positives. For secrets flagged to resolve later, GitHub will generate an open security alert for both the developer and the repository administrator to collaborate on. Teams can also leverage the organization and enterprise-level security overview to track their overall security posture, including any secret scanning alerts.
Enable secret scanning push protection
Organizations with GitHub Advanced Security can enable secret scanning’s push protection capability at the repository and organization levels with just one click in the UI or via the API.
For more information about our secret scanning capabilities, check out the following pages:
- Learn about secret scanning
- Learn about secret scanning’s push protection
