GitHub has announced that Secret Scanning will be available for free to public repository users.
Secret Scanning, which scans repositories and checks for accidentally committed secrets (authentication tokens, API keys, private keys, and so on), has long been available as an option for GitHub Advanced Security, but it was only available to organizations using GitHub Enterprise Cloud with a GitHub Advanced Security license.
Secret Scanning was announced by GitHub as a beta in May 2020, but it is considered a mechanism to invalidate codes and notify alerts via the Secret Scanning Partner Program. To prevent the misuse of authentication tokens, it supports over 200 secret patterns and has detected over 1.7 million potential secrets this year 2022. We will begin deploying the public beta to some users today, but for the time being, it is best to try to activate it by referring to the official document. By the end of January 2023, it will also be available to all GitHub users.
Secret scanning is an additional repository scanning security option that organisations can enable to detect accidental exposure of known types of secrets. It works by matching patterns provided by partners and service providers, as well as patterns defined by the organization. Each match is reported as a security alert in the repos’ Security tab or to partners if it is triggered by a partner pattern.
The sources for this piece include an article in BleepingComputer.