GitHub is doubling down on security after its systems detected a staggering 39 million secrets—API keys, passwords, and other credentials—leaked in repositories during 2024. This exposure puts both users and organizations at considerable risk, prompting significant upgrades to the Advanced Security platform.
According to GitHub’s recent report, these leaked secrets were identified using its secret scanning service, a feature designed to detect sensitive information within repositories.
“Secret leaks remain one of the most common—and preventable—causes of security incidents,” GitHub stated, emphasizing the urgency of the situation. The company notes that the pace of code development is matched by an equally rapid increase in secret leaks.
This surge in leaks persists despite GitHub’s introduction of “Push Protection” in April 2022, which became a default feature on all public repositories in February 2024.
GitHub attributes the ongoing leaks to developers prioritizing convenience when handling secrets during commits, as well as accidental repository exposure through git history.
To address these vulnerabilities, GitHub has announced several new measures and enhancements to its Advanced Security platform:
GitHub is now offering its security products as standalone purchases for enterprises, allowing development teams to scale security measures more efficiently. Previously, access to secret scanning and push protection required a more extensive (and expensive) suite of security tools. Key changes to GitHub Advanced Security include:
- Standalone secret protection and code security: These tools are now available separately, removing the requirement for a full GitHub Advanced Security license and making them more accessible for smaller teams.
- Free organization-wide secret risk assessment: GitHub is providing a complimentary, one-time scan to check all repository types (public, private, internal, and archived) for exposed secrets for all GitHub organizations.
- Push protection with delegated bypass controls: The enhanced push protection now scans for secrets before code is pushed and allows organizations to define permissions for bypassing the protection, providing policy-level control.
- Copilot-powered secret detection: GitHub is leveraging AI via Copilot to enhance detection of unstructured secrets like passwords, thereby improving accuracy and reducing false positives.
- Improved detection via cloud provider partnerships: Through collaborations with providers like AWS, Google Cloud, and OpenAI, GitHub aims to refine secret detectors and accelerate responses to leaks.
Beyond GitHub’s own efforts, the platform is also recommending specific actions users can take to safeguard against secret leaks.
Users are urged to enable Push Protection at the repository, organization, or enterprise level to proactively block secrets before they are pushed to a repository.
GitHub also underscores the importance of minimizing risk by eliminating hardcoded secrets from source code. Instead, it recommends utilizing environment variables, secret managers, or vaults for secure storage.
Another recommendation involves using tools integrated with CI/CD pipelines and cloud platforms for programmatic handling of secrets. This approach aims to reduce human interaction, which can lead to errors and exposure.
Finally, GitHub advises users to consult the ‘Best Practices’ guide to ensure comprehensive end-to-end management of secrets.
