How GitHub eliminated 20,000+ secret scanning alerts across 15,000 repositories in nine months
By
Michael Recachinas
Summary
GitHub Security launched a secret scanning initiative across its 15,000+ repositories, uncovering over 20,000 exposed secrets (API keys, tokens, credentials). The challenge was separating real risks from noise, assigning ownership, and building safe remediation workflows. After nine months of systematic effort, the team successfully reduced open alerts to zero, demonstrating a scalable approach to secrets hygiene that GitHub now offers to customers.
Source
Key quotes
· 3 pulledThe number was significantly higher than we anticipated, but it quickly became clear that success would depend on identifying which alerts represented real risk, assigning ownership, and remediating them safely.
Nine months later, we reached zero open alerts.
Several years ago, GitHub Security launched an initiative to assess and improve our overall secrets hygiene.
You might also wanna read
Truffle Security Releases Force Push Scanner to Detect Secrets in GitHub Commits
The article introduces the Force Push Scanner, a tool developed by Truffle Security to detect secrets in dangling commits on GitHub that rem
trufflesecurity.com·11mo ago
Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets ◆ Truffle Security Co.
trufflesecurity.com·1y agoAPI Radar Launches Enhanced Service for Detecting Leaked API Keys in GitHub Repositories
API Radar launches a new version of its Live Feed of Leaked API Keys service that continuously discovers exposed API keys in public GitHub r

Kaspersky uncovers over 250,000 potential security issues in GitHub Actions workflows
Security Researcher Finds 17,000+ Live Secrets in 5.6 Million Public GitLab Repositories
A security researcher scanned 5.6 million public GitLab repositories using TruffleHog and discovered over 17,000 verified live secrets, earn
trufflesecurity.com·7mo ago
GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery
GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

Comments
Sign in to join the conversation.
No comments yet. Be the first.