GitHub Enables Secret Scanning for All Public Repositories, Makes 2FA Mandatory

Microsoft-owned GitHub announced it’s rolling out secret scanning to all free public repositories on the platform, for free. Secret scanning notifies developers whenever it detects exposed secrets, such as user credentials and application tokens, within their code.

The feature was only available for paid enterprise users as part of the GitHub Advanced Security suite, but will be offered to all users by the end of January.

“At GitHub, we partner with service providers to flag leaked credentials on all public repositories through our secret scanning partner program,” reads GitHub’s announcement. “We scan repositories for 200+ token formats and work with relevant partners to help protect our mutual customers. In 2022, we notified our partners of over 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.”

The company will roll out secret scanning gradually as a beta version for public repositories. Once the feature is available, you can enable it from the “Code security and analysis” section of your repository’s settings menu.

Detected secrets can be found by navigating to your repository’s ”Security” tab and heading to the “Secret scanning” category in the left side panel. The detected secrets list also contains the secret’s location and suggested mitigation steps.

Aside from secret scanning, GitHub plans to enforce mandatory 2FA throughout the platform. 2FA will roll out gradually, starting in March 2023, and will apply to “distinct groups of users,” such as:

• Users who created releases
• Enterprise and organization administrators
• Publishers of GitHub or OAuth apps or packages
• Critical repositories (e.g., RubyGems, PyPI, OpenSSF, npm) code contributors
• Code contributors to “the approximate top four million public and private repositories”