GitHub has announced an enhancement to its secret scanning feature, allowing users to validate exposed credentials for major cloud services. This feature, available since March 2023, helps organizations and developers identify potentially exposed secrets in their repositories and take immediate action.
Backed by various service providers in the GitHub Partner Program, it sends alerts when exposed self-hosted keys are detected and notifies GitHub partners of leaked secrets in public repositories. Users can enable secret scanning for all their repositories to receive notifications when a secret is inadvertently included in a code commit.
To streamline the process of identifying and addressing exposed tokens, GitHub introduced validity checks for its own tokens earlier this year, eliminating the need to manually verify their activity. Now, GitHub is expanding this capability to AWS, Google, Microsoft, and Slack tokens.
These are some of the most common types of secrets detected across GitHub repositories. Users, including enterprise owners and repository administrators, can enable these validation checks in the “Code security and analysis” settings, making it easier to triage alerts and enhance remediation efforts.
The checks are conducted periodically in the background, but users can also perform manual checks by clicking “Verify secret.” GitHub aims to provide greater speed and efficiency in addressing secret scanning alerts and improving overall code security and analysis on the platform.
