GitHub, the widely used code hosting platform owned by Microsoft, has unveiled new security features aimed at helping developers and organizations protect sensitive information, often referred to as “secrets,” in their code. This update comes after GitHub revealed a shocking 39 million secrets were accidentally leaked across its platform in 2024.
Secrets like API tokens, passwords, and credentials are commonly stored in code repositories. Unfortunately, developers often forget to keep these sensitive pieces of data hidden from the public, leading to unintended exposure. When secrets are leaked, they can be exploited by cybercriminals. In fact, once exposed, attackers can harvest and use these secrets in minutes, making quick action essential.
GitHub’s New Security Features
To address these concerns, GitHub introduced two new capabilities: Secret Protection and Code Security. These features are now available as standalone products, specifically for GitHub Enterprise customers. Before, these tools were only bundled in higher-tier packages, making them inaccessible to smaller teams. Now, with this update, GitHub is offering Secret Protection free of charge for all public repositories.
For organizations using GitHub Team, the tools are also available as add-ons. This means that smaller development teams no longer have to upgrade to GitHub Enterprise to access these critical security features. By making them more accessible, GitHub is aiming to ensure that all users, from small startups to large enterprises, can protect their secrets with ease.
Secret Risk Assessment and Push Protection
In addition to the new security tools, GitHub has introduced a secret risk assessment feature. This allows organizations to scan all of their repositories—whether public, private, or internal—for exposed secrets. The tool performs a point-in-time scan and provides insights into any vulnerabilities that may exist within the code. It also offers actionable steps to help organizations address those issues before they become bigger problems.
GitHub assures users that no secrets are stored or shared during the scan, ensuring privacy for organizations while they strengthen their security. This feature is currently in public preview, and GitHub is seeking feedback from users to improve it further.
Along with the risk assessment tool, GitHub has rolled out push protection. This feature prevents secrets from being accidentally pushed into repositories. It blocks sensitive information from being exposed, helping prevent leaks before they occur. This proactive approach reduces the likelihood of human error and strengthens overall security.
Why This Matters
The need for these updates is clear, especially given the scale of secret leaks in 2024. With 39 million secrets exposed, GitHub has recognized the importance of providing tools that can help developers and organizations better secure their code. By offering these tools, GitHub aims to make it easier for developers to prevent data leaks, ensuring that they can keep their projects safe from threats.
These new features mark a significant step forward in improving code security on GitHub. They offer organizations the flexibility to manage their secrets more effectively, regardless of their size or budget.
GitHub’s latest security enhancements give developers and organizations the tools they need to protect their code from leaks. With features like Secret Protection, Code Security, secret risk assessments, and push protection, GitHub is addressing a critical issue in software development. By providing these tools to all users, GitHub is helping to make the platform safer for everyone.
