Secret scanning is expanding detection coverage beyond commit content. GitHub now detects secrets found in pull request and GitHub discussions (e.g. bodies, comments, edits).
As GitHub expands support, GitHub will be performing backfills to detect historically existing secrets across pull requests and discussions.
This release follows support of scanning for GitHub issues, and will be similarly followed by support for secret scanning across GitHub wiki content.
Intended Outcome
Secrets can be exposed anywhere -- not just across code content. GitHub helps keep you safe by automatically scanning additional surfaces across GitHub, without the need for any additional setup.
How will it work?
For repositories where secret scanning is enabled, you'll automatically begin to receive secret scanning alerts for any exposed secrets in pull requests or discussions. GitHub will also continue to scan public repositories for publicly leaked secrets, and will now notify partners in secret scanning's partnership program if secrets are detected in public pull requests or discussions.
Summary
Secret scanning is expanding detection coverage beyond commit content. GitHub now detects secrets found in pull request and GitHub discussions (e.g. bodies, comments, edits).
As GitHub expands support, GitHub will be performing backfills to detect historically existing secrets across pull requests and discussions.
This release follows support of scanning for GitHub issues, and will be similarly followed by support for secret scanning across GitHub wiki content.
Intended Outcome
Secrets can be exposed anywhere -- not just across code content. GitHub helps keep you safe by automatically scanning additional surfaces across GitHub, without the need for any additional setup.
How will it work?
For repositories where secret scanning is enabled, you'll automatically begin to receive secret scanning alerts for any exposed secrets in pull requests or discussions. GitHub will also continue to scan public repositories for publicly leaked secrets, and will now notify partners in secret scanning's partnership program if secrets are detected in public pull requests or discussions.