{"id":85988,"date":"2025-04-01T09:06:40","date_gmt":"2025-04-01T16:06:40","guid":{"rendered":"https:\/\/github.blog\/?p=85988"},"modified":"2025-04-01T13:41:44","modified_gmt":"2025-04-01T20:41:44","slug":"next-evolution-github-advanced-security","status":"publish","type":"post","link":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/","title":{"rendered":"GitHub found 39M secret leaks in 2024. Here&#8217;s what we&#8217;re doing to help"},"content":{"rendered":"<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD HTML 4.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/REC-html40\/loose.dtd\">\n<html><body><p>If you know where to look, exposed secrets are easy to find. Secrets are supposed to prevent unauthorized access, but in the wrong hands, they can be&mdash;and typically are&mdash;exploited in seconds.<\/p>\n<p>To give you an idea of the scope of the problem, more than <strong>39 million secrets<\/strong> were leaked across GitHub in 2024 alone.<sup id=\"fnref-85988-1\"><a href=\"#fn-85988-1\" class=\"jetpack-footnote\" title=\"Read footnote.\">1<\/a><\/sup> Every <em>minute<\/em> GitHub blocks several secrets with push protection.<sup id=\"fnref-85988-2\"><a href=\"#fn-85988-2\" class=\"jetpack-footnote\" title=\"Read footnote.\">2<\/a><\/sup> Still, secret leaks remain one of the most common&mdash;and preventable&mdash;causes of security incidents. As we develop code faster than ever previously imaginable, we&rsquo;re leaking secrets faster than ever, too.<\/p>\n<p>That&rsquo;s why, at GitHub, we&rsquo;re working to prevent breaches caused by leaked tokens, credentials, and other secrets&mdash;<span style=\"font-weight: 400\">ensuring protection against secret exposures is built-in and accessible to every developer. <\/span><\/p>\n<p><strong>Today, we&rsquo;re launching the<\/strong> <a href=\"https:\/\/resources.github.com\/evolving-github-advanced-security\/?utm_source=blog&amp;utm_medium=topgraf&amp;utm_campaign=GHASunbundle\"><strong>next evolution of GitHub Advanced Security<\/strong><\/a>, aligning with our ongoing mission to <strong>keep your secrets&hellip;secret<\/strong>.<\/p>\n<ul>\n<li><strong>Secret Protection<\/strong> and <strong>Code Security<\/strong>, now available as standalone products<\/li>\n<li>Advanced Security for <strong>GitHub Team<\/strong> organizations<\/li>\n<li><strong>A free, organization-wide secret scan<\/strong> to help teams identify and reduce exposure.<sup id=\"fnref-85988-3\"><a href=\"#fn-85988-3\" class=\"jetpack-footnote\" title=\"Read footnote.\">3<\/a><\/sup><\/li>\n<\/ul>\n<p>Here&rsquo;s how secrets leak, what we&rsquo;re doing to stop it, and what you can do to protect your code. Let&rsquo;s jump in.<\/p>\n<h2 id=\"how-do-secret-leaks-happen\" id=\"how-do-secret-leaks-happen\" ><a class=\"heading-link\" href=\"#how-do-secret-leaks-happen\">How do secret leaks happen?<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>Most software today depends on secrets&mdash;credentials, API keys, tokens&mdash;that developers handle dozens of times a day. These secrets are often accidentally exposed. Less intuitively, a large number of breaches come from well-meaning developers who purposely expose a secret.<strong> Developers also often underestimate the risk of private exposures, <\/strong>committing, sharing, or storing these secrets in ways that feel convenient in the moment, but which introduce risk over time<strong>.<\/strong><\/p>\n<p>Unfortunately, these seemingly innocuous secret exposures are small threads to pull for an attacker looking to unravel a whole system. Bad actors are extremely skilled at using a foothold provided by &ldquo;low risk&rdquo; secrets for lateral movement to higher-value assets. Even without the risk of insider threats, persisting any secret in git history (or elsewhere) makes us vulnerable to future mistakes. <a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/#snapshots\">Research<\/a> shows that accidental mistakes (like inadvertently making a repository public) were higher in 2024 than ever before.<\/p>\n<p><em>If you&rsquo;re interested in learning more about secret leaks and how to protect yourself, check out this great video from my colleague Chris Reddington:<\/em><\/p>\n<div class=\"mod-vh position-relative\" style=\"height: 0; padding-bottom: calc((9 \/ 16)*100%);\">\n\t\t\t<iframe loading=\"lazy\" class=\"position-absolute top-0 left-0 width-full height-full\" src=\"https:\/\/www.youtube.com\/embed\/vMhDkt5JNN0?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent\" title=\"YouTube video player\" allow=\"accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\" frameborder=\"0\"><\/iframe>\n\t\t<\/div>\n<h2 id=\"what-is-github-doing-about-it\" id=\"what-is-github-doing-about-it\" ><a class=\"heading-link\" href=\"#what-is-github-doing-about-it\">What is GitHub doing about it?<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p>We care deeply about protecting the developer community from the risk of exposed secrets. A few years ago, we formally launched our <a href=\"https:\/\/docs.github.com\/code-security\/secret-scanning\/secret-scanning-partnership-program\/secret-scanning-partner-program\">industry partnership program<\/a>, which has now grown to hundreds of token issuers like AWS, Google Cloud Platform, Meta, and OpenAI&mdash;all fully committed to protecting the developer community from leaked secrets.<\/p>\n<aside class=\"p-4 p-md-6 post-aside--large\"><p class=\"h5-mktg gh-aside-title\">&#128161; Did you know?<\/p><p>GitHub partners with providers to build detectors for their secrets behind-the-scenes. This improves our ability to detect secrets accurately and quickly, and to work together to mitigate risk in the case of a publicly leaked secret.<\/p>\n<p>In the case of a public leak, GitHub not only notifies you with a secret scanning alert, but also immediately notifies the secret issuer (if they participate in the GitHub secret scanning partnership program). The issuer can then take action depending on their policy, like quarantining, revoking, or further notifying involved parties.<\/p>\n<\/aside>\n<\/p><p>Last year, we rolled out <a href=\"https:\/\/github.blog\/news-insights\/product-news\/keeping-secrets-out-of-public-repositories\/\">push protection by default<\/a> for public repositories, which has since blocked millions of secrets for the open source community.<\/p>\n<p>And finally, as of today, we&rsquo;re rolling out additional changes to our feature availability, aligning with our ongoing goal to help organizations of all sizes protect themselves from the risk of exposed secrets: <a href=\"https:\/\/github.blog\/changelog\/2025-04-01-find-secrets-exposed-in-your-organization-with-the-secret-risk-assessment\/\">a new point-in-time scan<\/a>, free for organizations; a new pricing plan, to make our paid security tooling more affordable; and the release of Secret Protection and Code Security to GitHub Team plans.<\/p>\n<h2 id=\"what-you-can-do-to-protect-yourself-from-exposed-secrets\" id=\"what-you-can-do-to-protect-yourself-from-exposed-secrets\" ><a class=\"heading-link\" href=\"#what-you-can-do-to-protect-yourself-from-exposed-secrets\">What you can do to protect yourself from exposed secrets<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-85995 width-fit\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=1024&#038;resize=1024%2C538\" alt=\"GitHub push protection helps prevent secret leaks before they happen.\" width=\"1024\" height=\"538\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=2400 2400w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=300 300w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=768 768w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=1024 1024w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=1536 1536w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4.png?w=2048 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p><strong>The easiest way to protect yourself from leaked secrets is not to have any in the first place.<\/strong> Push protection, our built-in solution, is the simplest way to block secrets from accidental exposure. It leverages the same detectors that we created through our partnership program with cloud providers, ensuring secrets are caught quickly and accurately with the lowest rate of false positives possible.<\/p>\n<aside class=\"p-4 p-md-6 post-aside--large\"><p class=\"h5-mktg gh-aside-title\">Get started<\/p><p>Push protection prevents secret leaks&ndash;without compromising the developer experience&ndash;by scanning for secrets before they are pushed. You can enable push protection immediately with a couple clicks from your <a href=\"https:\/\/docs.github.com\/code-security\/secret-scanning\/enabling-secret-scanning-features\/enabling-push-protection-for-your-repository\">repository<\/a>, <a href=\"https:\/\/docs.github.com\/code-security\/securing-your-organization\/enabling-security-features-in-your-organization\/applying-the-github-recommended-security-configuration-in-your-organization#applying-the-github-recommended-security-configuration-to-specific-repositories-in-your-organization\">organization<\/a>, and <a href=\"https:\/\/docs.github.com\/enterprise-cloud@latest\/code-security\/securing-your-organization\/introduction-to-securing-your-organization-at-scale\/about-enabling-security-features-at-scale\">enterprise<\/a> settings.<\/p>\n<\/aside>\n<p>Studies have shown that GitHub Secret Protection is the only secret scanning tool&mdash;proprietary or open source&mdash;that can claim an over one in two true positive rate across all findings<sup id=\"fnref-85988-4\"><a href=\"#fn-85988-4\" class=\"jetpack-footnote\" title=\"Read footnote.\">4<\/a><\/sup>. GitHub received a precision score of 75% (compared to the next best, 46% precision). Compared to alternatives like open source scanning solutions, it&rsquo;s not that GitHub is finding fewer secrets&hellip; it&rsquo;s that we&rsquo;re finding real ones. That way, you&rsquo;re able to spend your time worrying less about false positives, and more about what matters&ndash;shipping.<\/p>\n<aside class=\"p-4 p-md-6 post-aside--large\"><p class=\"h5-mktg gh-aside-title\">&#128161; Did you know?<\/p><p>GitHub leverages GitHub Copilot in order to also detect unstructured secrets like passwords with extremely low false positive rates. My colleagues <a href=\"https:\/\/github.blog\/author\/ashwinmohan86\/\">Ashwin Mohan<\/a> and <a href=\"https:\/\/github.blog\/author\/courtneycl\/\">Courtney Claessens<\/a> just wrote a great piece, which goes into depth on <a href=\"https:\/\/github.blog\/engineering\/platform-security\/finding-leaked-passwords-with-ai-how-we-built-copilot-secret-scanning\/\">how we built Copilot secret scanning<\/a>.<\/p>\n<\/aside>\n<p>Long-lived credentials are some of the most common and dangerous types of secrets to leak, as they often persist unnoticed for months&ndash;or years&ndash;and give bad actors extended access. That&rsquo;s why managing secrets through their full lifecycle is critical.<\/p>\n<p>Beyond push protection, you can protect yourself from leaks by following <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Secrets_Management_Cheat_Sheet.html#1-introduction\">security best practices<\/a> to ensure secrets are securely managed from creation to revocation:<\/p>\n<ul>\n<li><strong>Creation:<\/strong> follow the principle of least privilege and make sure secrets are securely generated.<\/li>\n<li><strong>Rotation:<\/strong> <a href=\"https:\/\/pages.nist.gov\/800-63-FAQ\/#q-b05\">outside of user credentials<\/a>, secrets should be regularly rotated.<\/li>\n<li><strong>Revocation:<\/strong> restrict access when no longer needed&ndash;or when compromised.<\/li>\n<\/ul>\n<p>Throughout the lifecycle of a secret, you should eliminate human interaction and <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Secrets_Management_Cheat_Sheet.html#24-automate-secrets-management\">automate secret management<\/a> whenever possible.<\/p>\n<p>In addition, you should adopt a continuous monitoring solution for detecting exposures, so you can react quickly. Like push protection, GitHub&rsquo;s built-in solution for secret scanning is the simplest way to triage previously leaked secrets.<\/p>\n<p>Starting today, investing in GitHub&rsquo;s built-in security tooling is more affordable and in reach for many teams with the release of <strong>GitHub Secret Protection (free for public repositories), in addition to a new point-in-time scan (free for all organization repositories)<\/strong>, which can be run periodically to check for exposed secrets.<\/p>\n<aside class=\"p-4 p-md-6 post-aside--large\"><p class=\"h5-mktg gh-aside-title\">&#128161; Did you know?<\/p><p>GitHub Secret Protection includes policies and configurability built to scale with organizations of all shapes and sizes. For example, you can restrict the list of users or roles that can bypass a blocked secret with delegated bypass for push protection. Once enabled, any users or roles not listed in the bypass list must go through an approval process. These features are simple to establish and manage, as you&rsquo;ll see in the below video.<\/p>\n<\/aside>\n<p><em>Learn more about deploying and managing secret protection at scale:<\/em><\/p>\n<div class=\"mod-vh position-relative\" style=\"height: 0; padding-bottom: calc((9 \/ 16)*100%);\">\n\t\t\t<iframe loading=\"lazy\" class=\"position-absolute top-0 left-0 width-full height-full\" src=\"https:\/\/www.youtube.com\/embed\/AaYcmq5zpKY?version=3&amp;rel=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;fs=1&amp;hl=en-US&amp;autohide=2&amp;wmode=transparent\" title=\"YouTube video player\" allow=\"accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen=\"\" frameborder=\"0\"><\/iframe>\n\t\t<\/div>\n<h2 id=\"github-secret-protection-and-github-code-security\" id=\"github-secret-protection-and-github-code-security\" ><a class=\"heading-link\" href=\"#github-secret-protection-and-github-code-security\">GitHub Secret Protection and GitHub Code Security<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-85996 width-fit\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=1024&#038;resize=1024%2C685\" alt=\"Introducing GitHub Secret Protection and GitHub Code Security\" width=\"1024\" height=\"685\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=1600 1600w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=300 300w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=768 768w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=1024 1024w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/secret-protection-code-security.png?w=1536 1536w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>As of today, <strong>our security products are<\/strong> <strong>available to purchase as <\/strong><a href=\"https:\/\/github.blog\/changelog\/2025-04-01-github-secret-protection-and-github-code-security-for-github-enterprise\/\"><strong>standalone products for enterprises<\/strong><\/a>, enabling development teams to scale security quickly. Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made fully investing unaffordable for many organizations. This change ensures scalable security with Secret Protection and Code Security is <strong>no longer out of reach<\/strong> for many organizations.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-85997 width-fit\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=1024&#038;resize=1024%2C538\" alt=\"GitHub Secret Protection is here for GitHub Team organizations to purchase\" width=\"1024\" height=\"538\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=2400 2400w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=300 300w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=768 768w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=1024 1024w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=1536 1536w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/V4_4655a6.png?w=2048 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>In addition, as of today,<strong> our standalone security products are also <\/strong><a href=\"https:\/\/github.blog\/changelog\/2025-04-01-github-secret-protection-and-github-code-security-for-github-enterprise\/\"><strong>available as add-ons for GitHub Team organizations<\/strong><\/a>. Previously, smaller development teams were unable to purchase our security features without upgrading to GitHub Enterprise. This change ensures our security products remain <strong>affordable, accessible, and easy to deploy<\/strong> for organizations of all sizes.<\/p>\n<h2 id=\"have-your-secrets-been-exposed-try-our-new-public-preview\" id=\"have-your-secrets-been-exposed-try-our-new-public-preview\" ><a class=\"heading-link\" href=\"#have-your-secrets-been-exposed-try-our-new-public-preview\">Have your secrets been exposed? Try our new public preview<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h2>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-85998 width-fit\" src=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=1024&#038;resize=1024%2C538\" alt=\"The secret risk assessment is available for GitHub organizations\" width=\"1024\" height=\"538\" srcset=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=2400 2400w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=300 300w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=768 768w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=1024 1024w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=1536 1536w, https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/Changelog-1.png?w=2048 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p>Understanding whether you have existing exposed secrets is a critical step. Starting today, you can run a secret risk assessment for your organization.<\/p>\n<p>The secret risk assessment is a point-in-time scan leveraging our scanning engine for organizations, covering all repositories&ndash;public, private, internal, and even archived&ndash;and can be run without purchase. The point-in-time scan provides clear insights into the exposure of your secrets across your organization, along with actionable steps to strengthen your security and protect your code. In order to lower barriers for organizations to use and benefit from the feature, no specific secrets are stored or shared.<\/p>\n<p>The public preview is releasing today for organizations across GitHub Team and Enterprise plans to try. It&rsquo;s still quite early, so we&rsquo;d love to hear your feedback, like whether additional guidance on next steps would be helpful, or whether this is something you&rsquo;d leverage outside of Team and Enterprise plans.<\/p>\n<p>If you have feedback or questions, please do <a href=\"https:\/\/github.com\/orgs\/community\/discussions\/153016\">join the discussion in GitHub Community<\/a>&ndash;we&rsquo;re listening.<\/p>\n<p>&nbsp;<\/p>\n<div class=\"post-content-cta\"><p>Learn more about <a href=\"https:\/\/github.com\/enterprise\/advanced-security\">GitHub Advanced Security<\/a>, including Secret Protection and Code Security.<\/p>\n<\/div>\n<p><!-- Footnotes themselves at the bottom. --><\/p>\n<h4 id=\"notes\" id=\"notes\" ><a class=\"heading-link\" href=\"#notes\">Notes<span class=\"heading-hash pl-2 text-italic text-bold\" aria-hidden=\"true\"><\/span><\/a><\/h4>\n<div class=\"footnotes\">\n<hr>\n<ol>\n<li id=\"fn-85988-1\">\n<a href=\"https:\/\/octoverse.github.com\/\">State of the Octoverse<\/a>, 2024&nbsp;<a href=\"#fnref-85988-1\" title=\"Return to main content.\">&#8617;<\/a>\n<\/li>\n<li id=\"fn-85988-2\">\nPush protection helps prevent secret leaks&ndash;without compromising the developer experience&ndash;by scanning for secrets before they are pushed. <a href=\"https:\/\/docs.github.com\/code-security\/secret-scanning\/introduction\/about-push-protection\">Learn more about push protection<\/a>.&nbsp;<a href=\"#fnref-85988-2\" title=\"Return to main content.\">&#8617;<\/a>\n<\/li>\n<li id=\"fn-85988-3\">\nThe secret risk assessment is a free tool which will provide clear insights into secret exposure across your organization, along with actionable steps to strengthen their security and protect their code. <a href=\"#have-your-secrets-been-exposed-try-our-new-public-preview\">Learn more about the secret risk assessment<\/a>.&nbsp;<a href=\"#fnref-85988-3\" title=\"Return to main content.\">&#8617;<\/a>\n<\/li>\n<li id=\"fn-85988-4\">\nA Comparative Study of Software Secrets Reporting by Secret Detection Tools, Setu Kumar Basak et al., North Carolina State University, 2023&nbsp;<a href=\"#fnref-85988-4\" title=\"Return to main content.\">&#8617;<\/a>\n<\/li>\n<\/ol>\n<\/div>\n<\/body><\/html>\n","protected":false},"excerpt":{"rendered":"<p>Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.<\/p>\n","protected":false},"author":1954,"featured_media":85990,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"yes","_gh_post_is_no_robots":"no","_gh_post_is_featured":"yes","_gh_post_is_excluded":"no","_gh_post_is_unlisted":"no","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"Click Here to Learn More","_gh_post_recirc_hide":"no","_gh_post_recirc_col_1":"78957","_gh_post_recirc_col_2":"78959","_gh_post_recirc_col_3":"78961","_gh_post_recirc_col_4":"65316","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"_links_to":"","_links_to_target":""},"categories":[3334,91],"tags":[2585,3636,2584],"coauthors":[2427],"class_list":["post-85988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-security","category-security","tag-github-advanced-security","tag-secret-protection","tag-secret-scanning"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>GitHub found 39M secret leaks in 2024. Here&#039;s what we&#039;re doing to help - The GitHub Blog<\/title>\n<meta name=\"description\" content=\"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GitHub found 39M secret leaks in 2024. Here&#039;s what we&#039;re doing to help\" \/>\n<meta property=\"og:description\" content=\"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-01T16:06:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-01T20:41:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Erin Havens\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@erinhavens\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Erin Havens\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/\"},\"author\":{\"name\":\"Erin Havens\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/68a9f9c028d7b7eb2544b35aeed5d57e\"},\"headline\":\"GitHub found 39M secret leaks in 2024. Here&#8217;s what we&#8217;re doing to help\",\"datePublished\":\"2025-04-01T16:06:40+00:00\",\"dateModified\":\"2025-04-01T20:41:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/\"},\"wordCount\":1599,\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/GHAS-unbundling-header.png?fit=1920%2C1080\",\"keywords\":[\"GitHub Advanced Security\",\"Secret Protection\",\"Secret Scanning\"],\"articleSection\":[\"Application security\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/\",\"name\":\"GitHub found 39M secret leaks in 2024. Here's what we're doing to help - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/GHAS-unbundling-header.png?fit=1920%2C1080\",\"datePublished\":\"2025-04-01T16:06:40+00:00\",\"dateModified\":\"2025-04-01T20:41:44+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/68a9f9c028d7b7eb2544b35aeed5d57e\"},\"description\":\"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/GHAS-unbundling-header.png?fit=1920%2C1080\",\"contentUrl\":\"https:\\\/\\\/github.blog\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/GHAS-unbundling-header.png?fit=1920%2C1080\",\"width\":1920,\"height\":1080,\"caption\":\"Yes, checkmark.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/next-evolution-github-advanced-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Application security\",\"item\":\"https:\\\/\\\/github.blog\\\/security\\\/application-security\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"GitHub found 39M secret leaks in 2024. Here&#8217;s what we&#8217;re doing to help\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/68a9f9c028d7b7eb2544b35aeed5d57e\",\"name\":\"Erin Havens\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=gfe6e480d1c3dd4e6f02233d18c5cd5e0\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=g\",\"caption\":\"Erin Havens\"},\"description\":\"Erin Havens is a Product Manager at GitHub, focused on security products. 100+ ships across products like Secret Protection and Dependabot (and counting).\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/erinhavens\"],\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/erinhav\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"GitHub found 39M secret leaks in 2024. Here's what we're doing to help - The GitHub Blog","description":"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/","og_locale":"en_US","og_type":"article","og_title":"GitHub found 39M secret leaks in 2024. Here's what we're doing to help","og_description":"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.","og_url":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/","og_site_name":"The GitHub Blog","article_published_time":"2025-04-01T16:06:40+00:00","article_modified_time":"2025-04-01T20:41:44+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png","type":"image\/png"}],"author":"Erin Havens","twitter_card":"summary_large_image","twitter_creator":"@erinhavens","twitter_misc":{"Written by":"Erin Havens","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#article","isPartOf":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/"},"author":{"name":"Erin Havens","@id":"https:\/\/github.blog\/#\/schema\/person\/68a9f9c028d7b7eb2544b35aeed5d57e"},"headline":"GitHub found 39M secret leaks in 2024. Here&#8217;s what we&#8217;re doing to help","datePublished":"2025-04-01T16:06:40+00:00","dateModified":"2025-04-01T20:41:44+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/"},"wordCount":1599,"image":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png?fit=1920%2C1080","keywords":["GitHub Advanced Security","Secret Protection","Secret Scanning"],"articleSection":["Application security","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/","url":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/","name":"GitHub found 39M secret leaks in 2024. Here's what we're doing to help - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#primaryimage"},"image":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#primaryimage"},"thumbnailUrl":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png?fit=1920%2C1080","datePublished":"2025-04-01T16:06:40+00:00","dateModified":"2025-04-01T20:41:44+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/68a9f9c028d7b7eb2544b35aeed5d57e"},"description":"Every minute, GitHub blocks several secrets with push protection\u2014but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today\u2019s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.","breadcrumb":{"@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#primaryimage","url":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png?fit=1920%2C1080","contentUrl":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png?fit=1920%2C1080","width":1920,"height":1080,"caption":"Yes, checkmark."},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/security\/application-security\/next-evolution-github-advanced-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/github.blog\/security\/"},{"@type":"ListItem","position":3,"name":"Application security","item":"https:\/\/github.blog\/security\/application-security\/"},{"@type":"ListItem","position":4,"name":"GitHub found 39M secret leaks in 2024. Here&#8217;s what we&#8217;re doing to help"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/68a9f9c028d7b7eb2544b35aeed5d57e","name":"Erin Havens","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=gfe6e480d1c3dd4e6f02233d18c5cd5e0","url":"https:\/\/secure.gravatar.com\/avatar\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/19e2efbf8ffebcbe2ba1148222876310deb8f3773c87a78ed3c11aa504936045?s=96&d=mm&r=g","caption":"Erin Havens"},"description":"Erin Havens is a Product Manager at GitHub, focused on security products. 100+ ships across products like Secret Protection and Dependabot (and counting).","sameAs":["https:\/\/x.com\/erinhavens"],"url":"https:\/\/github.blog\/author\/erinhav\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/github.blog\/wp-content\/uploads\/2025\/03\/GHAS-unbundling-header.png?fit=1920%2C1080","jetpack_shortlink":"https:\/\/wp.me\/pamS32-mmU","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/85988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/1954"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=85988"}],"version-history":[{"count":22,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/85988\/revisions"}],"predecessor-version":[{"id":86052,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/85988\/revisions\/86052"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media\/85990"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=85988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=85988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=85988"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=85988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}