Article Details

GitHub expands security tools after 39 million secrets leaked in 2024. GitHub announced updates to its Advanced Security platform after it detected over 39 million leaked secrets in repositories during 2024, including API keys and credentials, exposing users and organizations to serious security risks. In a new report by GitHub, the development company says the 39 million secrets were found through its secret scanning service, a security feature that detects API keys, passwords, tokens, and other secrets in repositories.  "Secret leaks remain one of the most common—and preventable—causes of security incidents," reads GitHub's announcement. "As we develop code faster than ever previously imaginable, we're leaking secrets faster than ever, too." This is happening despite GitHub's targeted protection measures like "Push Protection," which was introduced in April 2022 and was activated by default on all public repositories in February 2024. According to GitHub, the main reasons why secrets continue to leak are the prioritization of convenience by developers who handle secrets during commits and accidental repository exposure through git history. GitHub revamps Advanced Security GitHub announced several new measures and enhancements to existing systems to mitigate secret leaks on the platform. "As of today, our security products are available to purchase as standalone products for enterprises, enabling development teams to scale security quickly," explained GitHub. "Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made it too expensive for many organizations. "This change ensures scalable security with Secret Protection and Code Security is no longer out of reach for many organizations." The GitHub Advanced Security changes are summarized as follows: Apart from GitHub's initiatives and improvements, users are also given a list of recommended actions to protect themselves from secret leaks. First, it is suggested that Push Protection be enabled at the repository, organization, or enterprise level to block secrets before they're pushed to a repository. GitHub also highlights the importance of reducing the risk by eliminating hardcoded secrets from source code altogether, instead using environment variables, secret managers, or vaults to store them. The platform suggests using tools that integrate with CI/CD pipelines and cloud platforms to handle secrets programmatically, reducing human interaction that can introduce errors and exposure. Finally, GitHub users are recommended to review the 'Best Practices' guide and ensure they appropriately manage secrets end-to-end. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.