GitHub will scan certain commits for tokens and private keys before publishing
GitHub will scan commits from certain organizations for secrets such as tokens and private keys before publishing. Now that scanning only takes place afterwards, when the secrets can already be seen by malicious parties. The proactive scanner looks at 69 common secrets.
If developers push code that reveals a known secret, then a warning appears on the screen. Developers can then modify the code and extract the secret. Users can also choose to push the code after all, for example if it concerns test code or a false positive.
GitHub scans for 69 different types of secrets provided by partners and other organizations. For example, it scans for session tokens and secret access keys from AWS, Cloud Access Keys from Alibaba Cloud, and Cloud Storage Access Keys from Google.
Secrets are, for example, authentication tokens or access keys for external services, but they can also be internally used passwords. GitHub recommends developers store those secrets outside of the GitHub repos. If developers store them within public GitHub repos, these secrets can be viewed and exploited by others.
The proactive secret scanner is only available for companies that enjoy the paid GitHub Advanced Securityuse the program. These organizations must also enable the proactive secret scanner themselves. Advanced Security also includes a scanner that can scan code after publication for both the presence of secrets and vulnerabilities.