GitHub announces that its sensitive data scanning alert service is now available for all public repositories. The service can be enabled to detect leaked secrets across an entire release history.

By “secrets” GitHub means sensitive data accidentally added to GitHub repositories. For example, API keys, account passwords, authentication tokens, and other sensitive data that attackers can use to gain access to non-public data.

Many cyber criminals use these public repositories as a starting point for their attacks. They actively scan repositories for credentials in order to infiltrate a network, steal credentials, or impersonate a company.

More than 70,000 users

In December 2022, GitHub started rolling out the beta version of a free sensitive data scan to scan all public repositories for 200+ token formats. The feature was intended to help developers find sensitive data that was inadvertently shared publicly. Since the initial rollout, more than 70,000 public repositories have activated the new feature.

Now, GitHub is announcing that the service is generally available and that all public repository owners can turn on scan warnings to protect their data.

GitHub not only notifies repository owners about leaked sensitive data, but also more than 100 scanning partners. They can then revoke the leaked authentication tokens and notify their customers.

How to activate the function?

To underline the success of the service, GitHub cites the example of DevOps consultant and trainer Rob Bos. The developer enabled the feature for 13,964 public GitHub repositories and found secrets in 1,110 of them (7.9%).

Any GitHub user who maintains a public repository can easily enable scanning warnings by clicking the Ideas To open it, click on the option Code security and analysis under the Securitysection, and then tap at the bottom switch Click on the option secret scanning.