GitHub adds enterprise public monitoring for secrets leaked across public GitHub content

GitHub adds enterprise public monitoring for secrets leaked across public GitHub content

GitHub's public monitoring preview scans public GitHub content for enterprise secrets and adds new token validators.

Format News Brief
Read Time 2 min
Category Cyber Security
Updated Jul 02, 2026

GitHub has put secret scanning public monitoring into public preview for enterprises with GitHub Secret Protection, expanding detection beyond repositories an organization owns. The July 1 changelog says the feature monitors public content across github.com in real time and attributes exposed secrets back to an enterprise through GitHub identity data, verified domains, and token metadata.

The change targets a common blind spot in incident response. A company token may be leaked from a personal fork, a public issue, a pull request comment, or an unrelated open source repository, leaving security teams dependent on outside reports or abuse signals. GitHub says public monitoring is designed to surface those leaks directly to enterprise owners and enterprise security managers so they can revoke credentials before attackers use them.

How GitHub says attribution works

  • Member-based attribution checks whether the committer's GitHub account belongs to the enterprise.
  • Verified domain matching checks whether a committer email is on a domain verified by the organization or enterprise.
  • Findings show the secret type, the public location where it appeared, the committer, and which method was used for attribution.
  • The feature does not scan private repositories and only surfaces secrets already exposed in public content.

Public monitoring is available at no additional cost for eligible GitHub Enterprise Cloud customers with Secret Protection or Advanced Security. GitHub says support for Enterprise Cloud with data residency is coming later. The feature works without setup once enabled from the enterprise Security tab.

GitHub also announced related validator support on July 1 for Asana personal access tokens, IBM Cloud IAM keys, and MessageBird API keys. That separate update means secret scanning can tell users whether those leaked credentials are still active. Together, the two changes show GitHub moving secret scanning from repository-level detection toward broader, faster credential exposure response for enterprise security teams.

Sources

Cover image: torkildr, source, licensed under BY-SA.

Comments (0)

Leave a Comment

Loading comments...