Allison summarizes significant October 2025 improvements to GitHub secret scanning, focusing on extended detection and security measures that benefit developers and organizations using Azure, AWS, and other platforms.

GitHub Secret Scanning: New Features for October 2025

GitHub continues to strengthen its security capabilities with recent updates to secret scanning. These changes further protect developers and organizations from accidental exposure of sensitive information such as API keys, credentials, and tokens.

Key Updates

1. Detection of Base64-Encoded Secrets

  • GitHub secret scanning now detects Base64-encoded versions of secrets from major cloud providers, making it harder for obfuscated secrets to slip through unnoticed.
  • Commonly detected Base64-encoded secrets include:
    • Azure: azure_cache_for_redis_access_key, azure_cosmosdb_key_identifiable, azure_function_key, azure_openai_key, azure_storage_account_key
    • AWS: aws_access_key_id, aws_secret_access_key, aws_temporary_access_key_id
    • Google, GitHub, GitLab, and others.
  • These secrets are push protected by default, proactively reducing risk.

2. Extended Metadata Checks

  • Secret scanning now supports enhanced context checks—such as owner info, creation dates, and organization metadata—for a broader range of secret types.
  • Applies to API keys and tokens from over 30 providers, including Adafruit, Anthropic, Discord, Dropbox, Fastly, GitLab, Google, Figma, Intercom, Mailchimp, Mailgun, Mapbox, Notion, OpenAI, Postman, SendGrid, Slack, Stripe, Telegram, Terraform Cloud, and more.
  • These extended checks give security teams improved traceability and control for exposed secrets.

3. Validity Checks

  • For providers including Grafana and Notion, GitHub can now verify whether a detected secret is still active—enabling faster response and mitigation.

Why This Matters

  • Developers and DevOps teams benefit from earlier detection of more complex (obfuscated) leaks, especially for commonly used cloud platforms.
  • Security and compliance are strengthened with added traceability and automatic push protection.
  • Azure and other Microsoft technology users now gain broader coverage for cloud credentials, making Microsoft-focused repositories safer by default.

Further Reading and Resources

GitHub will continue rolling out additional secret types and security features. These ongoing advancements offer teams using Azure, AWS, and other cloud providers more ways to safeguard their code and cloud environments.

This post appeared first on “The GitHub Blog”. Read the entire article here