Skip to main content

GitHub’s secret scanning for private repositories enters general availability

A GitHub logo seen displayed on a smartphone.
A GitHub logo seen displayed on a smartphone.
Image Credit: Igor Golovniov/SOPA Images/LightRocket via Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


GitHub has announced that its enterprise-focused secret scanning tool for private repositories is now generally available.

The Microsoft-owned code-hosting platform first debuted secret scanning for private repositories last May as part of its advanced security program. This was introduced in beta alongside a new native code-scanning tool that automatically scans every git push for vulnerabilities. Code scanner launched in general availability in September and is followed today by secret scanning.

In related news, GitHub also announced the beta launch of a new “security overview” tool that gives security teams a single interface to view all the risks detected by GitHub’s advanced security tools. These span code scanning, secret scanning, and Dependabot. The overview highlights known and unknown security risks, where teams haven’t fully configured their security features.

Above: GitHub: Security overview

Secret sauce

“Secrets” refers to authentication credentials such as API tokens, passwords, and keys that protect access to applications, services, and other sensitive areas of a company’s digital infrastructure. GitHub first launched secret scanning — then known as “token scanning” — for public repositories back in 2018. It’s designed to help companies identify sensitive data hidden inside their public code before it’s found by bad actors.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

There has been a flurry of activity in the secrets management space of late, with GitGuardian raising $12 million in funding a few months back to help companies detect sensitive data hidden in their code repositories and Doppler raising $6.5 million in a round of funding led by Alphabet’s GV to expand into the enterprise.

Recent data from GitGuardian indicates a 20% rise in secrets hidden in public GitHub repositories last year, a trend driven in part by a broader push toward code collaboration platforms as developers and businesses rapidly embraced remote work.

Businesses that use GitHub for private (i.e. non-open source) projects can buy a GitHub advanced security license as part of their Enterprise Cloud (hosted) or Enterprise Server (self-hosted) subscription, which gives them access to secrets scanning. In the 10 months since it first arrived in beta, GitHub said it has helped organizations find and revoke more than 5,000 secrets.

Above: GitHub secret scanning

Since its beta launch last year, GitHub has added a bunch of new features, though some are currently only available for the GitHub Enterprise Cloud edition. These include an API and support for webhooks to set up secret scanning alerts, while GitHub has also expanded its secret scanning pattern coverage to incorporate tokens from more than 35 companies, including Shopify, Stripe, AWS, Azure, SendGrid, Twilio, and Slack.

Earlier today, GitHub also launched new granular controls for the GitHub mobile app, designed to boost developers’ productivity by helping them manage notifications and pause them at the end of a shift.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.