PyPl joins the GitHub secret scanning project
The Secret scanning program is a service launched by GitHub. GitHub cooperates with the repositories owner to scan the repositories secretly to prevent fraudulent use of secrets that were committed accidentally. The scan will search for accidentally submitted token formats. “Secret scanning is automatically enabled on public repositories. When you push to a public repository, GitHub scans the content of the commits for secrets. If you switch a private repository to public, GitHub scans the entire repository for secrets.“
According to the announcement, from now on, GitHub will scan every submission of the public repository for exposed PyPI API tokens. It will forward any tokens it finds to PyPI, and PyPI will automatically disable them and notify their owners in the process. This end-to-end process only takes a few seconds.
GitHub stated that PyPI is another integrator that has joined the GitHub secret scanning program. Since 2018, GitHub has partnered with 35 token issuers to help them protect the safety of their customers. At the same time, GitHub also welcomes more integrators to join their plan to conduct secret scanning of public repositories.