GitHub is committed to empowering the developer community by helping organizations recognize and address the risks of secret leaks wherever they happen. We believe every enterprise should know the moment its secrets leak in public, no matter where it happens on GitHub. That’s why public monitoring is now in public preview for enterprises with GitHub Secret Protection, at no additional cost.

Secrets don’t respect boundaries; scanning for them shouldn’t either.

What is public monitoring?

GitHub monitors the entire public surface of github.com for leaked secrets in real time. Public monitoring attributes those secrets back to your enterprise, based on where your people commit.

Secret scanning has always protected the repositories you own. But secrets leak beyond that boundary. For example, a developer commits to a personal fork or an open source project, or they paste a token into a public issue or pull request, and this often happens from an account your security team isn’t tracking. Exposures like these were nearly impossible to find and often only surfaced after they’d been abused by bad actors.