GitHub will start checking for secrets in all repositories

Every developer knows that writing credentials in source code is a bad idea . However, it does happen, and when it does, the consequences can be dire. Until now, GitHub has only provided its account lookup service to paying corporate users who have paid for GitHub Advanced Security, but as of today, the Microsoft-owned company is making its scan service available to all public GitHub repositories for free.

In 2022 alone, the company notified partners in its secret scanning partner program of more than 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners to potential leaks. Developers can also define their own regular expression patterns.

“Through scanning secrets, we found a lot of important things that need to be addressed,” said David Ross, security engineer at Postmates. “On the AppSec side, this is often the best way for us to get an idea of ​​problems in the code.”

Now, if you submit your code to GitHub, the company will automatically notify you if secrets in your source code are leaked. To start using the service, you must enable this feature in your GitHub security settings. However, the rollout of the service will be gradual and will be available to all users at the end of January 2023.

GitHub’s own tool is of course not the only service that can scan for leaked credentials. There are also open source tools like Gitleaks (which can integrate with GitHub Actions) and a host of security companies like CheckPoint’s Nightfall and Spectral, though their services tend to go well beyond scanning and tend to , focused on companies.