GitHub to scan codes for sensitive information before upload to detect potential leaks

GitHub, which recently launched the $20/month Copilot Enterprise, has announced a new security feature for public repositories. Effective immediately, GitHub will begin automatically scanning code for sensitive information, such as API keys and tokens, before it is uploaded. If a potential leak is detected, the push will be blocked.

This change comes in response to a concerning trend of accidental secret leaks in public repositories. GitHub reports identifying over 1 million such leaks in the first eight weeks of 2024 alone.

The accidental exposure of sensitive information can have serious consequences. This new feature aims to mitigate this risk and improve overall security within the developer community.

How does the feature work?

Public code repositories on GitHub will now undergo automatic scanning for pre-defined “secrets” during the push process. If a potential leak is identified, the developer will be notified and offered two options: remove the secret or bypass the block (though this option is not recommended). The rollout of this feature may take up to a week to reach all users, who can also choose to enable it early within their security settings.

It has several benefits for developers. It helps reduce the risk of leaks by automatically scanning for secrets, which can prevent accidental exposure of sensitive information. Additionally, this feature can contribute to a more secure development environment for individual developers and the open-source community, thus improving the overall security posture.

While push protection is now enabled by default, developers can bypass the block on a case-by-case basis. Disabling the feature entirely is not recommended.

For organizations managing private repositories, subscribing to the GitHub Advanced Security plan offers additional security features beyond secret scanning, such as code scanning and AI-powered code suggestions.

More here.