GitHub has announced that it will bring its secret scanning capability to more users with the goal of helping administrators of public repositories detect leaks of secrets in their repositories before a breach occurs.
The release is part of the Secret Scan Partner program, which was created to notify more than 100 service providers about the exposure of tokens in public repositories.
Previously, the feature was only available to organizations with GitHub Advanced Security, but it will now be available to administrators of all public repositories.
Secret Github Analysis
Github claims to search over 200 token formats (such as API keys and auth tokens) that would normally take an average of 327 days to identify, and has already reported 1,7 million potential secret exposures in public repositories to its partners.
The release has already started in beta form and GitHub expects all its members to have access by the end of January 2023. The company has also indicated a discussion forum (opens in a new tab) where users can request early access or discuss the product in more detail.
"Once secret scan alerts are available in your repository, you can enable them in your repository settings under 'Security and Code Scanning' settings," noted a company blog post (opens in a new tab).
You can view all detected secrets by going to the 'Security' tab of your repository and selecting 'Secret Scan' in the side panel under 'Vulnerability Alerts'. There you will see a list of all detected secrets, and you can click on any alert to reveal the compromised secret, its location, and suggested remediation action.
Highlighting its commitment to security, GitHub also announced that it will require all users contributing code to implement two-factor authentication (2FA) on their accounts by the end of 2023, affecting approximately 94 million users.
A select group of users will first be notified of this mandatory verification in March 2023, providing a basis for evaluation before GitHub releases it to its entire user base.