GitHub has announced measures making it easier to protect yourself from exposed secrets. They include a standalone version of Secret Protection and organization-wide scanning. 

The announcements are part of GitHub Advanced Security (GHAS), GitHub's application security solution. GHAS uses AI and features include remediation, static analysis, secret scanning, and software composition analysis.

The driver behind the new measures is the statistic that more than 39 million "secrets" were leaked across GitHub in 2024 alone.GitHub says that it blocks several secrets a minute with push protection, but .secret leaks remain one of the most common—and preventable—causes of security incidents. 

Secrets, in this sense, refers to leaked tokens, API keys and credentials. GitHub says that such secrets are often accidentally exposed, but that a large number of breaches come from well-meaning developers who purposely expose a secret. They say developers can underestimate the risk of private exposures, committing, sharing, or storing these secrets in ways that feel convenient in the moment, but which introduce risk over time.

Secret Protection and Code Security have now been launched as standalone products, alongside new advanced security for GitHub Team organizations, and a free, organization-wide secret scan to help teams identify and reduce exposure. The Secret Protection and Code Security can be purchased as standalone products for enterprises, and Secret Protection is also available free for public repositories. Until now, smaller development teams were unable to purchase GitHub's security features without upgrading to GitHub Enterprise.

Secret Protection comes with built-in policies and configurability, so an organization can restrict the list of users or roles that can bypass a blocked secret with delegated bypass for push protection. Once enabled, any users or roles not listed in the bypass list must go through an approval process.

GitHub is also offering a secret risk assessment in the form of a scan using GitHub's scanning engine for organizations, covering all repositories–public, private, internal, and even archived. The scan can be run without needing to buy the product, and provides insights into the exposure of your secrets across your organization, along with steps to take to strengthen your security and protect your code. The public preview is releasing today for organizations across GitHub Team and Enterprise plans to try.

More Information

GitHub Advanced Security,

Related Articles

GitHub Improves Code Search

GitHub Code Scanning Now Uses Machine Learning

GitHub Enterprise Adds Centralized User Accounts

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info