GitHub announces free secret scanning for public repos
GitHub announces free secret scanning for all public repositories.
GitHub announces free secret scanning for public repos
GitHub is to offer free public repo secret scanning, as of January 2023. This is excellent news for those working on public repos.
However, this is only free for public repositories. For private repos, you need to subscribe to the GitHub enterprise plan to take advantage of the advanced security features.
For those who have private repos and do not want to pay for GitHub Enterprise, do not panic, we will be doing another blog post on how to create a simple secret scanning GitHub action shortly.
So, to enable secret scanning for your repository, you first need to enable the feature in the repository’s settings. To do this:
- Go to the “Settings” tab of your repository
- Under the “Security” section
- select “Secret scanning.”
From there, you can enable secret scanning and choose the types of secrets that you want to scan for.
Once secret scanning is enabled, GitHub Actions will automatically scan all new commits and pull requests for secrets. If a secret is detected, GitHub will display a warning in the pull request or commit, alerting you to the presence of the secret.
GitHub will also notify the service provider about the detected secret. The service provider will then check the detected secret, and contact you directly. Please see Github Doc for further details.
To help prevent secrets from being committed in the first place, we recommend using pre-commit checks. You can use tools like git leaks, git-secrets or Trufflehog to scan your repository for secrets before committing. However, please remember that local developers can disable these pre-commit checks.
We recommend holding secrets in a cloud-based secrets vault such as AWS secrets manager or systems manager parameter store, or Azure key vault. This will ensure:
- Access to secrets is logged
- Secrets can be easily changed (even per deployment or application version)
- Secrets are encrypted in transit
- Secrets will be encrypted at rest (in the cloud vault at least)
For the governance and security professional, we at Punk Security have written a secret scanning tool called SecretMagpie. SecretMagpie will scan your organisation repositories at scale, without adding or modifying any CI check. Secret Magpie will scan all GIT repositories using GitLeaks and Trufflehog, then share the findings in an easy interface to remove false positives and quicky pivot to real issues.
Please visit our git hub page for SecretMagpie for further details.
Overall, adding secret scanning to your repository is a simple but effective way to enhance the security of your codebase and protect your sensitive information. By following best practices and using tools like secret scanning, you can help ensure that your repository is secure and that your sensitive information stays safe.