GitHub has announced that its enterprise-focused secret scanning tool for private repositories is now generally available.
The Microsoft-owned code-hosting platform first debuted secret scanning for private repositories last May as part of its advanced security program. This was introduced in beta alongside a new native code-scanning tool that automatically scans every git push for vulnerabilities. Code scanner launched into general availability in September, which is followed today by secret scanning.
In related news, GitHub also announced the beta launch of a new “security overview” tool, designed to serve security teams with a single interface to view all the security risks detected by GitHub’s advanced security tools, across code scanning, secret scanning, and Dependabot. The overview highlights known security risks as well as unknown risks, where teams haven’t configured their security features fully.
“Secrets,” for the uninitiated, is industry parlance for authentication credentials such as API tokens, passwords, and keys that protect access to applications, services, and other sensitive areas of a company’s digital infrastructure. GitHub first launched secret scanning — then known as “token scanning” — for public repositories back in 2018. It’s designed to help companies identify sensitive data hidden inside their public code, so that they can be revoked before they’re found by bad actors. Recent data from GitGuardian indicates that there was a 20% rise in secrets hidden in public GitHub repositories last year.
For businesses that use GitHub for private (i.e. non-open source) projects, they can buy a GitHub advanced security license as part of their Enterprise Cloud (hosted) or Enterprise Server (self-hosted) subscription, which gives them access to secrets scanning.
Since its beta launch last year, GitHub has added a bunch of new features to the mix, though some are only available for the GitHub Enterprise Cloud edition for now. These include an API and support for webhooks to set up secret scanning alerts, while GitHub has also expanded its secret scanning pattern coverage to incorporate tokens from more than 35 companies, which includes Shopify, Stripe, AWS, Azure, SendGrid, Twilio, and Slack.
Earlier today, GitHub also launched new granular controls for the GitHub mobile app, designed to boost developer productivity by helping them manage their notifications and pause them when their shift finishes.