GitHub announced updates to its Advanced Security platform after it detected over 39 million leaked secrets in repositories during 2024, including API keys and credentials, exposing users and organizations to serious security risks.
In a new report by GitHub, the development company says the 39 million secrets were found through its secret scanning service, a security feature that detects API keys, passwords, tokens, and other secrets in repositories.
“Secret leaks remain one of the most common—and preventable—causes of security incidents,” reads GitHub’s announcement.
“As we develop code faster than ever previously imaginable, we’re leaking secrets faster than ever, too.”
This is happening despite GitHub’s targeted protection measures like “Push Protection,” which was introduced in April 2022 and was activated by default on all public repositories in February 2024.
According to GitHub, the main reasons why secrets continue to leak are the prioritization of convenience by developers who handle secrets during commits and accidental repository exposure through git history.
GitHub revamps Advanced Security
GitHub announced several new measures and enhancements to existing systems to mitigate secret leaks on the platform.
“As of today, our security products are available to purchase as standalone products for enterprises, enabling development teams to scale security quickly,” explained GitHub.
“Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made it too expensive for many organizations.
“This change ensures scalable security with Secret Protection and Code Security is no longer out of reach for many organizations.”
The GitHub Advanced Security changes are summarized as follows:
- Standalone Secret Protection and Code Security – Now available as separate products, these tools no longer require a full GitHub Advanced Security license, making them more affordable for smaller teams.
- Free organization-wide secret risk assessment – A point-in-time scan that checks all repositories (public, private, internal, and archived) for exposed secrets, free for all GitHub organizations.
- Push protection with delegated bypass controls – Enhanced push protection scans for secrets before code is pushed and allows organizations to define who can bypass the protection, adding policy-level control.
- Copilot-powered secret detection – GitHub now uses AI via Copilot to detect unstructured secrets like passwords, improving accuracy and lowering false positives.
- Improved detection via cloud provider partnerships – GitHub works with providers like AWS, Google Cloud, and OpenAI to build more accurate secret detectors and respond faster to leaks.
Apart from GitHub’s initiatives and improvements, users are also given a list of recommended actions to protect themselves from secret leaks.
First, it is suggested that Push Protection be enabled at the repository, organization, or enterprise level to block secrets before they’re pushed to a repository.
GitHub also highlights the importance of reducing the risk by eliminating hardcoded secrets from source code altogether, instead using environment variables, secret managers, or vaults to store them.
The platform suggests using tools that integrate with CI/CD pipelines and cloud platforms to handle secrets programmatically, reducing human interaction that can introduce errors and exposure.
Finally, GitHub users are recommended to review the ‘Best Practices‘ guide and ensure they appropriately manage secrets end-to-end.
Bill Toulas
Read More