Skip to content
GitHub Copilot is now available for free. Learn more
GitHub Secret Protection

Keep your secrets secret

GitHub Secret Protection continuously monitors your GitHub perimeter, helping prevent exposures, protect credentials, and ship securely.

Request a demoSee plans & pricing
The image shows a terminal window with a GitHub error message. The user attempted to push changes using git push, but it failed due to detected secrets. The error message includes "Secrets detected! This push failed" and highlights an active secret key.

4.4MSecrets prevented from leaking on GitHub in 2024

150+Industry partners, working together to mitigate risk for the developer community

39MSecret leaks detected with Secret Protection in 2024

Prevent accidental secret exposure
across your repositories

Block leaks before they happen

Push protection automatically blocks secrets before they reach your repository, keeping code clean without disrupting workflows.

The image shows a terminal window with a command and error message related to GitHub. The command entered is "git push" for the project located at "~/my_project" on the branch "branch_name". The error message displayed is "remote: error GH009: Secrets detected! This push failed." followed by "remote: GITHUB PUSH PROTECTION" and "remote: Resolve the following secrets before pushing again".

Find the threats that others miss

Detect secrets in issues, discussions, and more with secret scanning. Metadata like validity checks and public leaks help prioritize active threats.

The image shows a notification box with the title "Publicly leaked active secret" in red text, followed by a string of characters and two file paths. It highlights the exposure of sensitive information, specifically an active secret key and its associated file paths.

Give Copilot the heavy lifting

GitHub Copilot finds elusive secrets like passwords without the false positives. It detects secrets that traditional secret detectors can't catch, providing an additional layer of security.

The image shows a notification from GitHub indicating that a secret has been detected. The notification has a blue background and contains the following text: "GitHub detected a secret" in bold, followed by "Password" in red. Below this, there is an alphanumeric string representing the detected secret: "aj4d0B4ky8qPJ7j2nvop9EQ38gYVAy1AM1wlxa1ND5zeRRLZmXk6BbmzZRb". At the bottom, it states "Detected by Copilot Secret Scanning" with an icon of Copilot next to it.

Standardize enforcement, simplify compliance

Manage policies like delegated bypass for push protection, alert dismissal restrictions, and built-in enablement configurations, simplifying security enforcement at scale.

The image shows a notification on a blue background. The notification has a red warning icon and the text "Secrets detected" with the number 2 in a small circle next to it. Below this, there is a heading that reads "Request bypass privileges" followed by the instruction: "Submit a request to bypass these push rules. If granted, you may attempt this push again."

Powered by a global security partnership

GitHub partners with 150+ providers to mitigate risks and ensure the highest level of detection accuracy.

Learn about the secret scanning partner program
The image features six logos of prominent technology companies arranged in a 2x3 grid on a blue gradient background. The top row includes the logos for Microsoft Azure, Amazon Web Services (AWS), and Google Cloud. The bottom row includes the logos for Slack, Meta (formerly Facebook), and OpenAI.

Safer code for everyone

Whether you're securing an open source project or strengthening your enterprise codebase, Secret Protection helps you keep secrets out of your code.

Request a demoSee plans & pricing

Resources to get started

Discover developer-first application security

Take an in-depth look at the current state of application security.

View the webinar

Explore the DevSecOps guide

Learn how to build security into your code from day one with DevSecOps.

Read the whitepaper

Avoid AppSec pitfalls

Explore common application security pitfalls and how to avoid them.

Read the whitepaper

FAQs

What is GitHub Secret Protection?

GitHub Secret Protection detects and prevents secret leaks continuously in real-time, proactively blocking sensitive credentials from being pushed to a repository with push protection. With a remarkably low false positive rate and approximately 150 service provider integrations, it enables rapid credential revocation and rotation, enhancing developer productivity.

What is the secret risk assessment?

The secret risk assessment provides a free, comprehensive overview of an organization’s secret leak footprint across its GitHub repositories. By analyzing repositories for exposed secrets, it helps admins and developers understand their exposure to potential security risks and offers actionable insights for remediation. 

What is push protection?

Push protection is designed to prevent sensitive information, such as secrets or tokens, from being pushed to your repository in the first place. It proactively scans your code for secrets during the push process and blocks the push if any are detected.

What is delegated bypass for push protection?

Delegated bypass introduces an approval process for developers to bypass push protection. Anyone opting to bypass a push protection block will need to submit a request to a designated group of reviewers, ensuring any risky secrets are not accidentally leaked.

What are secret scanning validity checks?

Validity checks help you determine whether detected secrets are still active, enabling developers and security teams to prioritize their response effectively. When a secret is flagged, the system verifies its validity to confirm whether the secret is active or inactive.

What is the secret scanning partnership program?

The secret scanning partnership program allows service providers to secure their token formats by enabling GitHub to scan public repositories and npm packages for exposed secrets. When a secret is found in a public repo, GitHub sends an alert directly to the service provider, who can then validate and take appropriate action.