GitHub has announced that it will be rolling out its Secret Scan feature to more users to help public repository admins detect leaked secrets in their repositories before a breach occurs.
The launch is part of a secret scanning partner program that was set up to notify more than 100 service providers about the disclosure of tokens in public repositories.
This feature was previously only available to organizations with GitHub Advanced Security, but will now be available to administrators of all public repositories.
Secret Github Scan
Github says it scans for more than 200 token formats (such as API keys and authentication tokens) that typically take an average of 327 days to identify, and has already notified its partners of 1.7 million potential secret exposures in public repositories.
The rollout has already started in beta form, and GitHub hopes to have all its members access by the end of January 2023. The company also pointed to discussion forum (opens in a new tab) where users can request early access or discuss the product in more detail.
“When secret scan alerts are available in your repository, you can enable them in your repository’s “Security and code analysis” settings, a post on the company’s website blog (opens in a new tab) recorded.
“You can see any secrets detected by going to the “Security” tab in your repository and selecting “Secret Scan” in the side panel under “Vulnerability Warnings.” There you’ll see a list of all detected secrets, and you can click on any alert to reveal the secret at risk, its location, and suggested fixes.”
Github 2FA
Emphasizing its commitment to security, GitHub also announced that it will require all users who contribute code to set up two-factor authentication (2FA) on their accounts by the end of 2023, impacting an estimated 94 million users.
A select group of users will be notified of this mandatory verification for the first time in March 2023, which will form the basis for the assessment before GitHub pushes it to the entire user base.