GitHub upgrades tooling to help developers stop leaking secrets

Over 39 million API keys, credentials, and other secrets leaked onto GitHub’s platform last year, but an update to its scanning tool could help stop that.

The widely used cloud-based version-control platform automatically blocks ‘several secrets every minute’ from going into production, but secrets leaks remain a major challenge for users of the service.

While secrets are often exposed accidentally, many breaches also come from well-meaning developers who intentionally share them without realizing the risks, GitHub said in a blog post.

“Developers often underestimate the risk of private exposure, committing, sharing or storing these secrets in ways that feel convenient in the moment, but which introduce risk over time,” it said.

The company has updated its premium security product, GitHub Advanced Security (GHAS) to help developers avoid making such mistakes.

New secrets scan with insights

As part of the GHAS 3.18 update, subscribers will receive a new point-in-time scan for free. Available within the ‘settings’ tab of GHAS dashboard, the scan will help developers find secrets exposed in their organizational code along with secret risk assessment.

“Once enabled, GitHub will run a point-in-time scan across all public, private, internal, and archived repositories in your organization,” GitHub said. “Results are static and will not be automatically updated. You’ll also be able to download the results as a CSV file.”

The insights offered as scan results will include secrets leaked per type, publicly visible secrets in one’s public repositories, and repositories affected for each secret type, according to the blog.

Unbundling GHAS for accessibility

Delivering on its promise last month to extend access to advanced secrets and code scanning to organizations of all sizes, GitHub has split its GHAS offerings as standalone Secret Protection and Code Security subscriptions.

“Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made fully investing unaffordable for many organizations,” GitHub said, adding that the change will enable development teams at smaller organizations as well to scale security quickly.

Existing GHAS subscribers will get an option to transition at renewal, while customers with pay-as-you-go, and metered-based plans can transition any time.

Security for all

The GitHub platform, which helps developers collaborate, manage, and track changes in their code, runs a tiered pricing model that charges subscribers depending on usage, organizational size and storage requirements. The different monthly plans are Free ($0), Team ($4), and Enterprise ($21).

It appears that Team subscribers have been bumped up to access GHAS, a feature exclusive to premium Enterprise customers until now.

“As of today, we’re rolling out additional changes to our feature availability, aligning with our ongoing goal to help organizations of all sizes protect themselves from the risk of exposed secrets,” GitHub said, adding “Advanced Security (GHAS) for GitHub Team organizations” as one of the upgrades.

This applies to the existing “push protection” feature GitHub offers as part (Secrets Scanning) of GHAS. This feature, available since Aug 2023 to Enterprise subscribers, detects and blocks commits with a secret. GitHub enabled it by default for all Enterprise customers in February 2024, with an option to bypass it for a code block.