GitHub secret scanning

On June 27, 2023 GitHub announced that secret scanning push protection is now generally available for all public repositories and GitHub Advanced Security (GHAS) customers. The control intercepts pushes that contain high-confidence credentials—covering more than 200 token types maintained with partners—and blocks the commit until the author removes the secret or records a business-justified bypass.

Industry indicators

• Default coverage for public repos. GitHub enabled push protection automatically for every public repository, expanding from the previous preview program.
• Enterprise customization. GHAS customers can define custom secret patterns, integrate approval workflows, and audit bypasses through the organization-level policy center.
• Broad partner ecosystem. Secret scanning now blocks credentials issued by AWS, Azure, Google Cloud, Atlassian, Databricks, Twilio, and scores of SaaS and infrastructure vendors.

Mapping controls

• NIST SP 800-53 Rev. 5 (SI-7, AC-6). Push protection provides automated secret detection and enforces least privilege by preventing unauthorized credential propagation.
• PCI DSS 4.0 Requirement 6. Use push protection evidence to show secure software development practices and restriction of cleartext authentication data.
• ISO/IEC 27001 Annex A.8 & A.9. Prove key management and access control safeguards by showing how the pipeline blocks untracked credentials.

What to prioritize

• Enable push protection on every private repository, starting with regulated workloads, and require justification comments for each bypass.
• Integrate bypass telemetry into SIEM dashboards so security operations can confirm secrets were rotated and affected systems re-imaged.
• Review custom pattern definitions quarterly to cover organization-specific tokens, internal API keys, and certificates.

Steps to take

• Train developers on remediation workflows—removing secrets, rotating keys, and amending history—before pushing again.
• Update incident response runbooks to auto-open tickets for any bypass, assigning deadlines for credential rotation and environment cleanup.
• Coordinate with vendor management to ensure third-party partners honor regenerated credentials and reauthenticate integrations promptly.

What this means

• Credential hygiene is now preventive. Organizations can stop exposure before secrets land in Git history, reducing downstream forensics and takedown workloads.
• Bypass governance is measurable. Enterprises that monitor bypass reasons and rotation timelines will have defensible metrics for regulators and cyber insurance renewals.
• Coverage keeps expanding. GitHub’s partner program continuously adds new token patterns—teams must allocate ownership to keep custom rules in lockstep.

This brief helping platform teams wire push protection telemetry into risk dashboards and enforce rotation SLAs when developers acknowledge secret exposure.

Recommended practices

Development teams should adopt practices that ensure code quality and maintainability during and after this transition:

• Code review focus areas: Update code review checklists to include checks for deprecated patterns, new API usage, and migration-specific concerns. Establish review guidelines for changes that span multiple components.
• Documentation updates: Ensure README files, API documentation, and architectural decision records reflect the changes. Document rationale for setup choices to aid future maintenance.
• Version control practices: Use feature branches and semantic versioning to manage the transition. Tag releases clearly and maintain changelogs that highlight breaking changes and migration steps.
• Dependency management: Lock dependency versions during migration to ensure reproducible builds. Update package managers and lockfiles systematically to avoid version conflicts.
• Technical debt tracking: Document any temporary workarounds or deferred improvements introduced during migration. Create backlog items for post-migration cleanup and improvement.

Consistent application of development practices reduces risk and accelerates delivery of reliable software.

Ongoing maintenance

If you are affected, plan for ongoing maintenance and evolution of systems affected by this change:

• Support lifecycle awareness: Track support timelines for dependencies, runtimes, and platforms. Plan upgrades before end-of-life dates to maintain security patch coverage.
• Continuous improvement: Establish feedback loops to identify improvement opportunities. Monitor performance metrics and user feedback to guide iterative improvements.
• Knowledge management: Build team expertise through training, documentation, and knowledge sharing. Ensure institutional knowledge is preserved as team composition changes.
• Upgrade pathways: Maintain awareness of future versions and breaking changes. Plan incremental upgrades rather than large leap migrations where possible.
• Community engagement: Participate in relevant open source communities, user groups, or vendor programs. Stay informed about roadmaps, good practices, and common pitfalls.

preventive maintenance planning reduces technical debt accumulation and ensures systems remain secure, performant, and aligned with business needs.

• Test coverage analysis: Review existing test suites to identify gaps in coverage for affected functionality. Prioritize test creation for high-risk areas and critical user journeys.
• Regression testing: Establish full regression test suites to catch unintended side effects. Automate regression runs in CI/CD pipelines to catch issues early.
• Performance testing: Conduct load and stress testing to validate system behavior under production-like conditions. Establish performance baselines and monitor for degradation.
• Security testing: Include security-focused testing such as SAST, DAST, and dependency scanning. Address identified vulnerabilities before production deployment.
• User acceptance testing: Engage teams in UAT to validate that changes meet business requirements. Document acceptance criteria and sign-off procedures.

A full testing strategy provides confidence in changes and reduces the risk of production incidents.

Workflow integration

Development teams should integrate awareness of this change into their standard workflows, including code review processes, testing procedures, and deployment pipelines. Documentation should be updated to reflect any impacts on development practices, dependencies, or tooling. Knowledge sharing through team discussions or technical documentation helps ensure consistent setup across the development organization.

Long-term maintenance considerations should include tracking related developments, planning for future updates, and maintaining compatibility with evolving requirements and good practices in the development ecosystem.

Summary and next steps

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

Governance structure

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Ongoing improvement

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

See also

Selected articles on related subjects.

Developer · Credibility 86/100 · May 22, 2023

GitLab 16 Platform Release

GitLab 16 shipped with AI-assisted code suggestions and a revamped navigation. The value stream dashboards give engineering leaders better visibility into development metrics. If you are on GitLab, this is a big upgrade.

Developer · Credibility 90/100 · July 10, 2024

Developer Enablement — OpenSSF

OpenSSF Scorecard 5.0 introduces structured probes, maintainer annotations, and new supply-chain checks, requiring engineering, security, and compliance teams to update automation, APIs, and risk reporting workflows.

Developer · Credibility 90/100 · May 4, 2022

Security Policy — GitHub Mandates Two-Factor Authentication

GitHub’s May 2022 announcement requires every active contributor to enable two-factor authentication by end-2023, prompting teams to audit accounts, update governance, and support developers through hardware- or…

Developer · Credibility 90/100 · October 1, 2024

Developer Enablement — Python 3.13

Python 3.13 release readiness means validating your applications and dependencies against the new version. The experimental no-GIL build offers interesting concurrency improvements, but production adoption should wait…

Developer · Credibility 71/100 · February 4, 2022

NIST publishes Secure Software Development Framework (SP 800-218)

NIST's Secure Software Development Framework (SSDF) is now the baseline for federal software procurement. It is not prescriptive about tools, but it sets clear expectations: threat modeling, secure coding, testing…

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Secure Software Supply Chain Tooling Guide

  Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

• Developer Enablement & Platform Operations Guide

  Plan AI-assisted development, secure SDLC controls, and runtime upgrades using our research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

• Continuous Compliance CI/CD Guide

  Implement CI/CD pipelines that satisfy NIST SP 800-218, OMB M-24-04 secure software attestations, FedRAMP continuous monitoring, and CISA Secure-by-Design guidance while preserving…

Cited sources

1. Industry Standards and Best Practices — International Organization for Standardization
2. GitHub Security Advisory Database