Keeping secrets out of public repositories

Accidental leaks of API keys, tokens, and other secrets risk security breaches, reputation damage, and legal liability at a mind-boggling scale. In just the first eight weeks of 2024, GitHub has detected over 1 million leaked secrets on public repositories. That’s more than a dozen accidental leaks every minute. Since last August, all GitHub cloud users could opt-in to secret scanning push protection, which automatically blocks commits when a secret is detected. Now, we’ve enabled secret scanning push protection by default for all pushes to public repositories.

What’s changing

This week, we began the rollout of push protection for all users. This means that when a supported secret is detected in any push to a public repository, you can remove the secret from your commits or bypass the block if you deem the secret safe. This change might take a week or two to apply to your account; you can verify your status and opt-in early in code security and analysis settings.

How will this change benefit me?

Leaked secrets can risk reputation, revenue, and even legal exposure, so GitHub Advanced Security customers scan over 95% of pushes to private repositories. As champions for the open-source community, we believe that public repositories–and your reputation as a coder–are worth protecting, too.

Do I have a choice?

Yes. Even with push protection enabled, you can bypass the block. Although we don’t recommend it, you can disable push protection entirely in your user security settings. However, since you always retain the option to bypass the block, we recommend enabling push protection and making exceptions on an as-needed basis.

What about private repositories?

If your organization is on the GitHub Enterprise plan, you can also add GitHub Advanced Security to keep secrets out of private repositories. You’ll also get all of the other features for secret scanning, along with code scanning, AI-powered autofix code suggestions, and other static application security (SAST) features as part of a comprehensive DevSecOps platform solution.

Image Source: Freepik

Share on

Keeping secrets out of public repositories

Abhijit Chakravarty starts a new position as Executive Vice President – Networks & Cyber Security at Kotak Mahindra Bank

Firstsource Solutions announces Hasit Trivedi as President & Chief Digital and AI Officer

Ganesan Sivaramakrishnan starts a new position as Head of IT & SAP at GMMCO Ltd

Girish Kulkarni joins the International Institute of Information Technology, Bangalore as CISO

Dheerendar Kumar Srivastav starts a new position as Vice President of Information Technology at Anand Rathi Global Finance Limited

NEXT100 and NextCSO Winner Indranil Chatterjee joins Sandoz Pvt Ltd as Global Lead, GCC & NOC Services

Sudesh Sharma starts a new position as Head – IT at Panasonic India

Vijay Balakrishnan joins Godrej & Boyce as Chief Digital and Information Officer

Mahesh Toshniwal starts a new position as General Manager-Group Head of IT Operations at Jindal Steel & Power Ltd

Benjamin Ambrose starts a new position as CISO at National Payments Corporation Of India (NPCI)