Every developer knows that it’s a bad idea to hardcode security credentials into source code. Yet it happens and when it does, the consequences can be dire. Until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security, but starting today, the Microsoft-owned company is making its secrets scanning service available for all public GitHub repos for free.
In 2022 alone, the company notified partners in its secret scanning partner program of moew than 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too.
“With secret scanning we found a ton of important things to address,” said David Ross, a staff security engineer at Postmates. “On the AppSec side, it’s often the best way for us to get visibility into issues in the code.”
Now, if you host your code on GitHub, the company will automatically notify you directly about leaked secrets in your source code. This also means that you will get alerts for secrets where there isn’t a partner to notify (maybe because you self-host your HashiCorp Vault, for example).
To begin using the service, you have to enable the feature in their GitHub security settings. However, the rollout of the service will be gradual and it will not be available to all users until the end of January 2023.
GitHub’s own tool is, of course, not the only service that will scan for leaked secrets. There are also open source tools like Gitleaks (which can integrate with GitHub actions) and a plethora of security companies like Nightfall and CheckPoint’s Spectral, though their services tend to go well beyond secret scanning and are generally geared toward enterprises.