In 2024, developers across GitHub used secret scanning to detect more than 39 million leaked secrets in their repositories, while push protection prevented 4 million more from being leaked in the first place.
And that was before this month’s launch of GitHub Secret Protection that combines secret scanning, push protection, and AI-detected passwords to serve even more developers like you.
Maybe you haven’t run into a “Possible valid secrets detected” alert yet. Or perhaps you have and weren’t quite sure what to do. That’s what we’re here for.
In this edition of The GitHub Insider, we’re going to learn about secrets—what they are, why they matter, and how GitHub can help you keep them secure.
Not only that, we’ll give you some resources to get some hands-on experience with securing those secrets, so it isn’t just theoretical.
🔑 What’s a "secret"?
In software, a secret is sensitive information used to authenticate or authorize access to systems, services, data, and APIs. Common examples include:
- API keys and tokens: These let your apps communicate securely with external services like GitHub's REST API or perform tasks that need authentication.
- Database credentials: Information that grants access to databases or cloud storage.
- Private keys: Keys, such as PGP or for SSH, secure connections to other servers and encrypt data.
🚨 Why protecting your secrets matters
Do you (intentionally) leave your house keys dangling in the door? No?
Well, you shouldn’t leave your secrets out for everyone to see either. Here’s why:
- Unauthorized access: Attackers could gain control over your applications, databases, or cloud infrastructure—anything those secrets allow access to.
- Data breaches: Stolen sensitive user information could result in privacy issues, legal trouble, and customers no longer trusting you with their data.
- Financial losses: Attackers might run costly operations on your cloud accounts.
- Service disruption: Compromised servers could cause downtime and data loss.
Think of a secret as your digital identity—if someone has it, they can do anything you can.
🛡️ Best practices for managing secrets
Here’s how you can prevent leaks and minimize damage if exposure occurs:
1. Follow the Principle of Least Privilege (PoLP):
- Limit secrets to the minimum required permissions. If someone only needs read access, restrict them to that level.
- Similarly, narrow your API scopes to precisely what's necessary. If your GitHub token only needs to create issues, don’t grant it access to repository contents.
- Create service accounts to minimize the risks of compromising personal accounts.
2. Secure handling in applications:
- Never hardcode secrets. Use environment variables on GitHub or use secret management tools (e.g., GitHub's repository secrets).
- Share secrets securely through password managers, never via email or chat.
- Rotate your secrets frequently and set expiration dates.
- Redact secrets in logs—never leave them in plaintext logs.
3. Respond swiftly if exposed:
- Immediately revoke compromised secrets and create new ones.
- Check activity logs for suspicious activities while the secret was unsecured.
- Identify how the secret was exposed and adjust your processes to remove that vulnerability.
🛠️ Practice safely storing secrets
Now that you have an understanding of the basics, it’s time to put that knowledge into practice. Thankfully, we have several resources that can help you get your hands dirty without putting yourself at risk.
1️⃣ Get some practice safely storing a secret for GitHub Actions and find out first hand how push protection prevents you from committing a secret to a public repository.
2️⃣ Get an introduction to secret scanning, where you’ll see how GitHub can help you identify plain-text credentials in your repository and prevent them from being exposed on GitHub in future pushes.
3️⃣ Take your security skills to the next level with the GitHub Security Lab’s Secure Code Game. Learn to spot and fix vulnerable patterns in real-world code, build security into your workflows, and understand security alerts generated against your code, in an in-repo learning experience.
That’s it for now! Secrets might sound scary, but with the right habits and GitHub’s built-in tools, you’ve got this. Treat your tokens like you’d treat your house keys, and you’ll stay one step ahead of the baddies.
Stay safe out there, and see you in the pull requests.
Get started with GitHub Secret Protection
✨ This newsletter was written by Mike Melanson and produced by Gwen Davis. ✨
More to explore 🌎
Intro to secret leaks
Join our GitHub code security conversations 🤖
Visit our community forum to see what people are saying + offer your own two cents.
Stay updated on GitHub products 📦
Discover the latest ships, launches, and improvements in our Changelog.
Subscribe to our LinkedIn newsletter 🚀
Do your best work on GitHub. Subscribe to our LinkedIn newsletter, Branching Out_.
The world’s leading AI-powered developer platform.