GitHub is beefing up its security after finding a staggering 39 million secrets—API keys, credentials, the works—leaking from repositories in 2024. This exposure puts users and organizations at serious risk.
According to GitHub’s report, this massive leak was detected by its secret scanning service, which identifies exposed API keys, passwords, and tokens within repositories.
“Secret leaks remain one of the most common—and preventable—causes of security incidents,” GitHub stated in its announcement, noting, “As we develop code faster than ever previously imaginable, we’re leaking secrets faster than ever, too.”
Despite measures like “Push Protection,” launched in April 2022 and enabled by default on public repositories in February 2024, secrets continue to leak due to developers prioritizing convenience when handling secrets during commits and accidental repository exposure through git history.
To combat these leaks, GitHub is rolling out several new measures and enhancements:
- Standalone secret protection and code security: Available as separate products, these tools no longer require a full GitHub Advanced Security license, aiming to be more affordable for smaller teams.
- Free organization-wide secret risk assessment: Checks all repositories (public, private, internal, and archived) for exposed secrets, available to all GitHub organizations at no cost.
- Push protection with delegated bypass controls: Enhanced push protection scans for secrets before code is pushed and allows organizations to define who can bypass the protection, thus adding policy-level control.
- Copilot-powered secret detection: GitHub is leveraging AI via Copilot to detect unstructured secrets like passwords, aiming to improve accuracy and lower false positives.
- Improved detection via cloud provider partnerships: GitHub is collaborating with providers such as AWS, Google Cloud, and OpenAI to enhance the accuracy of secret detectors and speed up responses to leaks.
“As of today, our security products are available to purchase as standalone products for enterprises, enabling development teams to scale security quickly,” GitHub explained. “Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made it too expensive for many organizations.”
Court dismisses billion-dollar claims against GitHub Copilot
Beyond GitHub’s upgrades, users are urged to take proactive steps to safeguard against secret leaks. Recommendations include enabling Push Protection at the repository, organization, or enterprise level to preemptively block secrets. GitHub also suggests eliminating hardcoded secrets by using environment variables, secret managers, or vaults.
The platform further advises using tools integrated with CI/CD pipelines and cloud platforms for programmatic secret handling, minimizing error-prone human interaction and potential exposure.
Lastly, GitHub encourages users to review the ‘Best Practices’ guide for comprehensive secrets management.
