GitHub Expands Secret Scanning, 2FA Across Platform

GitHub is making secrets scanning available for all public repositories and requiring all developers to enable two-factor authentication (2FA) for their accounts. The secrets scanning service will be available to all users by the end of January, and mandatory 2FA will be in place by the end of 2023, GitHub said.

Scanning for Secrets

The secret scanning service alerts developers when secrets such as application tokens and user credentials are exposed in code. Up until now, the service was available to paid enterprise users (via GitHub Advanced Security). The new policy will provide the service for free to all public GitHub repositories.

The service to scan for secrets helped identify 1.7 million potential secrets exposed in public repositories in 2022, GitHub said.

While the scanner can recognize over 200 known token formats, the option to define custom regex patterns is also available. 

“You can define custom patterns at the repository, organization, and enterprise levels. ... With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the company said.

Developers will be able to find this option in their repository settings under Code security and analysis, where there is a section called Vulnerability alerts, and a Security tab. All secrets found by the service will be displayed in the same section, along with suggested ways to remediate the exposures.

2FA For All

The company has been talking about making 2FA mandatory across the platform, and the requirement will begin rolling out in March. Users will receive reminders 45 days prior to when they have to turn on 2FA, and their accounts will be blocked if 2FA is still not enabled seven days after the deadline, the company said.

Users required to enable 2FA include those who publish GitHub or OAuth apps or package, those who create a release, enterprise and organization administrators, and those who contribute code to other repositories.

“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.