GitHub announced the introduction of a free service to track the accidental publication of sensitive data in repositories, such as encryption keys, database passwords, and API access tokens. Previously, this service was available only to participants in the beta testing program, but now it has begun to be provided without restrictions to all public repositories. To enable verification of your repository in the settings in the "Code security and analysis" section, you must activate the "Secret scanning" option.
In total, more than 200 templates have been implemented to identify various types of keys, tokens, certificates and credentials. The search for leaks is carried out not only in the code, but also in the issue, descriptions and comments. To avoid false positives, only guaranteed token types are checked, covering more than 100 different services, including Amazon Web Services, Azure, Crates.io, DigitalOcean, Google Cloud, NPM, PyPI, RubyGems, and Yandex.Cloud. Additionally, sending alerts when self-signed certificates and keys are detected is supported.
In January, the experiment analyzed 14 repositories using GitHub Actions. As a result, in 1110 repositories (7.9%, i.e. almost every twelfth) the presence of secret data was revealed. For example, 692 GitHub App tokens, 155 Azure Storage keys, 155 GitHub Personal tokens, 120 Amazon AWS keys, and 50 Google API keys have been identified in the repositories.
Source: opennet.ru