GitHub will scan for private token information every time a user pushes code, proactively preventing tokens from being leaked. ("GitHub Office" by DASPRiD is licensed underCC BY 2.0)

GitHub announced Monday that, as part of its Advanced Security offering, it would scan for private token information every time a user pushes code, proactively preventing tokens from being leaked.

Push protection includes 69 different token types, but not all of the tokens available for the automated "secret scans" of published code. Since the new feature is, by design, meant to place protection in the middle of a project workflow, GitHub prioritized scans that produced the highest signal-to-noise ratio.

"GitHub secret scanning’s new push protection capability embeds secret scanning in the developer workflow. To make this possible without disrupting development productivity, push protection only supports token types that can be detected accurately," the company wrote in a blog post.

GitHub's list of tokens for push protection includes most of the notable names from its secret scanning program, with notable omissions incuding Facebook and several types of Google tokens.

Accidental leaking of private information in GitHub repositories causes real-world problems. SolarWinds reported that an intern left a password exposed in a repository before their breach. A 2019 study found that more than 100,000 repositories had exposed tokens or cryptographic keys. Malicious hackers could easily find these by searching for common token types and variable names used for tokens.

GitHub has made an effort to crack down on these kinds of exposures through "secret scans," which look at code that has already been published. For enterprise users, that includes a massive list of token patterns that GitHub will notify the enterprise about. For all users, GitHub will scan for a smaller list of patterns from industry partners, including Facebook, and alert the partner about exposure.The partner can then choose whether to revoke the token.

A year ago GitHub changed its own tokens to be easier to identify in code.

The new proactive push scans are not on by default.

"By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether," the company wrote.