Allison explains GitHub’s update to its secret scanning process, highlighting how secrets leaked in any gist, including unlisted ones, are now reported to scanning partners to help prevent exposure.

GitHub Reports Leaked Secrets in Unlisted Gists to Secret Scanning Partners

Starting today, GitHub will alert secret scanning partners to any publicly leaked secrets found in unlisted (secret-labeled) GitHub gists.

Key Update

  • Secrets in both public and unlisted gists are now reported to secret scanning partners (such as AWS, OpenAI, and Stripe).
  • Gists marked as ‘secret’ are not private—anyone with the URL can access them, making them a potential blind spot for leaks.

GitHub Secret Scanning Partnership Program

  • GitHub collaborates with industry partners to detect secrets leaked in various formats, aiming for high detection accuracy and minimal false positives.
  • On discovery, GitHub notifies the actual secret issuer for immediate action, and, where enabled, will also alert the developer through secret scanning alerts.

What Are GitHub Gists?

  • Gists are a convenient way for developers to share code snippets.
  • ‘Public’ gists are discoverable and searchable, while ‘secret’ gists are unlisted but not private—access is possible with the direct URL.
  • For true privacy, developers should place sensitive code in private repositories.

Best Practices for Developers

  • Treat all gist content as publicly accessible.
  • Do not store secrets or sensitive data in gists, whether public or secret-labeled.
  • Use private repos for confidential code or credentials.

Further Reading

This change enhances developer and platform security, helping keep credentials and keys out of public exposure and fostering responsible code sharing.

This post appeared first on “The GitHub Blog”. Read the entire article here