GitHub announced that it is making its secrets scanning service available for all public repositories for free. The secret scanning service examines repositories for access tokens, private keys, credentials, API keys, and other secrets that may have been leaked accidentally; the service generates alerts to prevent misuse. The free secret scanning service means that GitHub will automatically notify you about leaked secrets if you are hosting a source code, even when there isn’t a partner to notify.
GitHub Issued Over 1.7 Million Alerts Via Secret Scanning Service
Previously, Github’s secret scanning service was only limited to paying enterprise users who paid for GitHub Advanced Security. According to the Microsoft-owned company, In 2022 alone, GitHub notified 1.7 million potential secrets to its partners in the secret scanning partner program that were exposed in public repositories. David Ross, a staff security engineer at Postmates, said, “With secret scanning we found a ton of important things to address.”
“Today, we’re starting to roll out secret scanning to all free public repositories in the GitHub community, for free. We’ll begin our gradual public beta rollout of secret scanning for public repositories today and expect all users to have the feature by the end of January 2023,” reads an official statement from the company.
How to Enable Alerts for Public Repositories
To toggle on secret scanning alerts for free public repositories, you have to follow the below-mentioned steps:
- Go to GitHub.com and navigate to the main page of the public repository
- Under your repository name, click the “Settings” button
- In the “Security” section of the sidebar, click “Code security and analysis”
- Scroll down to the bottom of the page, and click “Enable” for secret scanning
- If you see a “Disable” button, it means that secret scanning is already enabled for the repository