GitHub’s secret scanning feature has extended beyond the four walls of GitHub to now include validity checks for “select tokens from AWS, Microsoft, Google, and Slack.”
Introduced in January 2023, the functionality is designed to reduce the risk of leaked credentials, like passwords and API keys, by checking whether a token is still active.
This comes around ten months after the Microsoft-owned company promised to add “100+ secret scanning partners.”
GitHub secret scanning
Since the beginning of 2023, the company has made secret scanning and secret scanning push protection free for users of public repositories in a bid to help open source users.
Eligible accounts can enable secret scanning, which now includes more third-party services, via Settings > Code security and analysis > Secret scanning, where the “Automatically verify if a secret is valid by sending it to the relevant partner” option is housed.
GitHub said: “If we can’t accurately detect the validity – this can happen when a token found on GitHub.com belongs to a GitHub Enterprise Server instance – we’ll provide insight on where to look for remediation.”
Looking ahead, the software development platform has committed to supporting more tokens as it expands its partner program. Progress on supported tokens is available to view on a GitHub support page.
Secret scanning works by periodically performing checks in the background, but users can also choose to run a manual check to be sure that they’ve not missed something.
GitHub said in its latest blog post: “Validity checks are another piece of information at your disposal when investigating a secret scanning alert. We hope this feature will provide greater speed and efficiency in triaging alerts and remediation efforts.”
