GitHub has expanded its secret scanning feature introduced in January 2023 to include validity checks for specific tokens from AWS, Microsoft, Google, and Slack, enhancing security measures to safeguard against leaked credentials such as passwords and API keys.
This development comes approximately ten months after GitHub, now under Microsoft’s ownership, pledged to incorporate more than “100+ secret scanning partners” into its ecosystem.
Since the beginning of 2023, GitHub has made secret scanning and secret scanning push protection available at no cost for users of public repositories, demonstrating its commitment to supporting open source users.
Users with eligible accounts can activate secret scanning, which now encompasses a wider range of third-party services, by navigating to Settings > Code security and analysis > Secret scanning. Within these settings, users can enable the “Automatically verify if a secret is valid by sending it to the relevant partner” option.
GitHub provides a valuable insight into the process, stating, “If we can’t accurately detect the validity – this can happen when a token found on GitHub.com belongs to a GitHub Enterprise Server instance – we’ll provide insight on where to look for remediation.”
Looking ahead, GitHub is dedicated to expanding its partner program and has committed to supporting a broader range of tokens. Users can track the progress on supported tokens through a dedicated GitHub support page.
Secret scanning operates by conducting periodic background checks, but users also have the option to initiate manual checks to ensure comprehensive security coverage.
GitHub shared in its recent blog post, “Validity checks are another piece of information at your disposal when investigating a secret scanning alert. We hope this feature will provide greater speed and efficiency in triaging alerts and remediation efforts.”
