GitHub recently extended its secret scanning feature to repositories containing PyPI and RubyGems registry secrets to prevent Ruby and Python developers from inadvertently submitting secrets and credentials to their GitHub repositories.
A secret, also known as a token, is a unique string used for authentication. When writing software, developers usually use some third-party software to avoid “reinventing the wheel”. Sometimes, third-party software can be imported into the code, but it must be communicated with an external service before it can be used. At this time, confidentiality is required for verification, similar to using a username and password to log in to an account. For example, on GitHub, if a user wants to use the API to modify their account or repository, they need to generate a personal access token.
GitHub secret scanning is a service that scans pushes to repositories, searches for potentially exposed secrets to ensure the security of users’ codes and third-party accounts. Public repositories will be scanned automatically, private repositories need to manually enable this service. Currently, GitHub has cooperated with more than 40 cloud computing providers to scan more than 70 different types of secrets. When it discovers a secret, it will be sent directly to the third-party cloud provider for revocation or notify the user of the repositories.