Movatterモバイル変換

ホーム

AI & ML
- AI & ML
  Learn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry.
  - Generative AI
    Learn how to build with generative AI.
  - GitHub Copilot
    Change how you work with GitHub Copilot.
  - LLMs
    Everything developers need to know about LLMs.
  - Machine learning
    Machine learning tips, tricks, and best practices.
- How AI code generation works
  Explore the capabilities and benefits of AI code generation and how it can improve your developer experience.
  Learn more
Developer skills
- Developer skills
  Resources for developers to grow in their skills and careers.
  - Application development
    Insights and best practices for building apps.
  - Career growth
    Tips & tricks to grow as a professional developer.
  - GitHub
    Improve how you use GitHub at work.
  - GitHub Education
    Learn how to move into your first professional role.
  - Programming languages & frameworks
    Stay current on what’s new (or new again).
- Get started with GitHub documentation
  Learn how to start building, shipping, and maintaining software with GitHub.
  Learn more
Engineering
- Engineering
  Get an inside look at how we’re building the home for all developers.
  - Architecture & optimization
    Discover how we deliver a performant and highly available experience across the GitHub platform.
  - Engineering principles
    Explore best practices for building software at scale with a majority remote team.
  - Infrastructure
    Get a glimpse at the technology underlying the world’s leading AI-powered developer platform.
  - Platform security
    Learn how we build security into everything we do across the developer lifecycle.
  - User experience
    Find out what goes into making GitHub the home for all developers.
- How we use GitHub to be more productive, collaborative, and secure
  Our engineering and security teams do some incredible work. Let’s take a look at how we use GitHub to be more productive, build collaboratively, and shift security left.
  Learn more
Enterprise software
- Enterprise software
  Explore how to write, build, and deploy enterprise software at scale.
  - Automation
    Automating your way to faster and more secure ships.
  - CI/CD
    Guides on continuous integration and delivery.
  - Collaboration
    Tips, tools, and tricks to improve developer collaboration.
  - DevOps
    DevOps resources for enterprise engineering teams.
  - DevSecOps
    How to integrate security into the SDLC.
  - Governance & compliance
    Ensuring your builds stay clean.
- How enterprise engineering teams can successfully adopt AI
  Learn how to bring AI to your engineering teams and maximize the value that you get from it.
  Learn more
News & insights
- News & insights
  Keep up with what’s new and notable from inside GitHub.
  - Company news
    An inside look at news and product updates from GitHub.
  - Product
    The latest on GitHub’s platform, products, and tools.
  - Octoverse
    Insights into the state of open source on GitHub.
  - Policy
    The latest policy and regulatory changes in software.
  - Research
    Data-driven insights around the developer ecosystem.
  - The library
    Older news and updates from GitHub.
- Unlocking the power of unstructured data with RAG
  Learn how to use retrieval-augmented generation (RAG) to capture more insights.
  Learn more
Open Source
- Open Source
  Everything open source on GitHub.
  - Git
    The latest Git updates.
  - Maintainers
    Spotlighting open source maintainers.
  - Social impact
    How open source is driving positive change.
  - Gaming
    Explore open source games on GitHub.
- An introduction to innersource
  Organizations worldwide are incorporating open source methodologies into the way they build and ship their own software.
  Learn more
Security
- Security
  Stay up to date on everything security.
  - Application security
    Application security, explained.
  - Supply chain security
    Demystifying supply chain security.
  - Vulnerability research
    Updates from the GitHub Security Lab.
  - Web application security
    Helpful tips on securing web applications.
- The enterprise guide to AI-powered DevSecOps
  Learn about core challenges in DevSecOps, and how you can start addressing them with AI and automation.
  Learn more

Keeping secrets out of public repositories

With push protection now enabled by default, GitHub helps open source developers safeguard their secrets, and their reputations.

Eric Tooley &Courtney Claessens

February 29, 2024

|3 minutes

Accidental leaks of API keys, tokens, and other secrets risk security breaches, reputation damage, and legal liability at a mind-boggling scale. In just the first eight weeks of 2024, GitHub has detected over 1 million leaked secrets on public repositories. That’s more than a dozen accidental leaksevery minute.

Since last August, all GitHub cloud users couldopt-in to secret scanning push protection, which automatically blocks commits when a secret is detected. Now, we’ve enabled secret scanning push protection by default for all pushes to public repositories.

What’s changing

This week, we began the rollout of push protection for all users. This means that when asupported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block. It might take a week or two for this change to apply to your account; you can verify status and opt-in early incode security and analysis settings.

How will this change benefit me?

Leaked secrets can pose a risk to reputation, revenue, and even legal exposure, which is why GitHub Advanced Security customers scan more than 95% of pushes to private repositories. As champions for the open source community, we believe that public repositories–and your reputation as a coder–are worth protecting, too.

Do I have a choice?

Yes. Even with push protection enabled, you have the choice to bypass the block. Although we don’t recommend it, you can also disable push protection entirely in youruser security settings. However, since you always retain the option to bypass the block, we recommend that you leave push protection enabled and make exceptions on an as-needed basis.

What about private repositories?

If your organization is on theGitHub Enterprise plan, you can addGitHub Advanced Security to keep secrets out of private repositories as well. You’ll also get all of the other features forsecret scanning, along withcode scanning, AI-poweredautofix code suggestions, and other static application security (SAST) features as part of a comprehensive DevSecOps platform solution.

Learn more about secret scanning

GitHub secret scanning guards over 200 token types and patterns from more than 180 service providers, and boasts the industry’s highest precision and lowest rate of false positives.¹ Together, we can keep secrets from leaking on public repositories.

Learn more about secret scanning
Learn more about push protection for users
Join the discussion withinGitHub Community

Notes

A Comparative Study of Software Secrets Reporting by Secret Detection Tools, Setu Kumar Basak et al., North Carolina State University, 2023. ↩

Written by

Eric Tooley

@2ley

Courtney Claessens

@courtneycl

More onopen source

CVE-2025-53367: An exploitable out-of-bounds write in DjVuLibre

DjVuLibre has a vulnerability that could enable an attacker to gain code execution on a Linux Desktop system when the user tries to open a crafted document.

Kevin Backhouse &Antonio Morales