GitHub, the Microsoft-owned code hosting platform, has revealed that 39 million secrets were leaked across its repositories in 2024, prompting the release of new security features to combat this growing threat.
The platform detected that developers frequently exposed sensitive information like API keys in their code repositories, with multiple secrets being blocked every minute through push protection measures. Even seemingly low-risk exposures were found to enable attackers to gain broader system access.
In response, GitHub has introduced several new security capabilities:
- Standalone Secret Protection and Code Security features that don't require full Advanced Security licensing
- Free secret scanning for public repositories
- Support for GitHub Team organizations without Enterprise upgrades
- Risk assessment tools for scanning secrets across all repository types
- Enhanced push protection with delegated bypass controls
- AI-powered secret detection using GitHub Copilot
The new risk assessment functionality allows organizations to scan their entire codebase - including public, private, internal and archived repositories - without storing or sharing specific secrets. This provides clear visibility into potential exposures while maintaining security.
GitHub has also partnered with major cloud providers including AWS, Google Cloud, and OpenAI to improve secret detection accuracy and response times. The company recommends best practices such as:
- Enabling Push Protection
- Removing hardcoded secrets from code
- Using secret managers and environment variables
- Implementing CI/CD-integrated tools
These updates aim to make security more accessible, especially for smaller teams, while helping organizations better manage sensitive data across their code repositories.
The high volume of exposed secrets in 2024 highlights the critical need for improved security practices as development speeds increase. GitHub's new tools provide expanded capabilities to help prevent leaks before they occur.