GitHub is beefing up its security after finding a staggering 39 million secrets—API keys, credentials, the works—leaking from repositories in 2024. This exposure puts users and organizations at serious risk.
According to GitHub’s report, this massive leak was detected by its secret scanning service, which identifies exposed API keys, passwords, and tokens within repositories.
“Secret leaks remain one of the most common—and preventable—causes of security incidents,” GitHub stated in its announcement, noting, “As we develop code faster than ever previously imaginable, we’re leaking secrets faster than ever, too.”
Despite measures like “Push Protection,” launched in April 2022 and enabled by default on public repositories in February 2024, secrets continue to leak due to developers prioritizing convenience when handling secrets during commits and accidental repository exposure through git history.
To combat these leaks, GitHub is rolling out several new measures and enhancements:
“As of today, our security products are available to purchase as standalone products for enterprises, enabling development teams to scale security quickly,” GitHub explained. “Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made it too expensive for many organizations.”
Court dismisses billion-dollar claims against GitHub Copilot
Beyond GitHub’s upgrades, users are urged to take proactive steps to safeguard against secret leaks. Recommendations include enabling Push Protection at the repository, organization, or enterprise level to preemptively block secrets. GitHub also suggests eliminating hardcoded secrets by using environment variables, secret managers, or vaults.
The platform further advises using tools integrated with CI/CD pipelines and cloud platforms for programmatic secret handling, minimizing error-prone human interaction and potential exposure.
Lastly, GitHub encourages users to review the ‘Best Practices’ guide for comprehensive secrets management.