HQ/EMEAFind out how we can help your business
GitHub has announced major enhancements to its Advanced Security tools after secret scanning efforts revealed over 39 million leaked secrets across repositories in 2024. The exposed data includes API keys, credentials, passwords, and access tokens, putting both individual users and organisations at serious risk of cyberattacks.
The 39 million exposed secrets were discovered through GitHub’s secret scanning service, which detects sensitive information in code repositories before it is publicly exposed.
Despite existing measures like Push Protection, which was rolled out by default on all public repositories in February 2024, secrets continue to leak. GitHub attributes this trend to developers prioritising convenience when committing code and to accidental exposures through Git history.
Recognising the ongoing risk, GitHub has rolled out several important changes to improve its security posture. One key update is that secret protection and code security tools are now offered as standalone products. Previously, these features required purchasing a full Advanced Security licence, making them too costly for many smaller teams. The shift allows organisations to scale their defences more easily and affordably.
GitHub is also offering a free, organisation-wide secret risk assessment, which performs a point-in-time scan of all repositories—public, private, internal, and archived—for leaked secrets, intending to give users a clearer picture of their exposure and take immediate steps to address risks.
Further improvements include advanced Push Protection with delegated bypass controls, allowing organisations to set specific rules on who can override security warnings. Secret scanning is also being strengthened through artificial intelligence, with GitHub Copilot now helping detect unstructured secrets like passwords more accurately and with fewer false positives.
To boost detection capabilities, GitHub has partnered with major cloud providers to build more responsive and precise secret detectors. These partnerships aim to help security teams identify and mitigate threats more rapidly.
GitHub also urges users to take proactive steps to protect their data. Recommended actions include enabling Push Protection across all levels, avoiding the use of hardcoded secrets in source code, and relying on environment variables or secret managers instead. Integrating secret management tools with CI/CD pipelines can also lessen the risk of human error.
As secret scanning becomes more advanced and accessible, GitHub aims to ensure that security is not an afterthought but a core part of the development workflow.
