GitHub expands secret scanning with Resend tokens, VolcEngine push protection and leak insights

GitHub expands secret scanning with Resend tokens, VolcEngine push protection and leak insights

GitHub added Resend and APIclub token detection, VolcEngine push protection and new public monitoring insights.

Format News Brief
Read Time 2 min
Category Cyber Security
Updated Jul 16, 2026

GitHub is rolling out a set of secret scanning and public monitoring updates aimed at catching more exposed credentials and giving enterprise security teams clearer context when leaks appear in public code.

In a July 15 changelog post, GitHub said Resend has joined its secret scanning partnership program. Under that program, GitHub scans public repositories for known token formats and can forward exposed partner secrets to the issuing service so the provider can revoke the credential or alert the affected administrator. The update adds detection for Resend API keys and APIclub API keys, widening the list of credential types GitHub can identify automatically.

What changed

  • Resend is now a GitHub secret scanning partner.
  • GitHub secret scanning now detects apiclub_api_key and resend_api_key secret types.
  • Push protection now blocks VolcEngine Ark API keys by default when secret scanning is enabled.
  • The secret_scanning_alert webhook payload now includes a secret_category field.
  • Public monitoring alert lists now show insight cards for leak attribution, enterprise member count and verified domains.

The push protection change is especially relevant for teams trying to stop credential exposure before it lands in a repository. GitHub says repositories with secret scanning enabled, including free public repositories, will automatically block commits containing VolcEngine volcengine_ark_api_key secrets. That turns what would otherwise be a post-commit alert into a preventive control for that credential class.

The webhook addition is a smaller but practical automation improvement. By labeling alerts as default or generic, GitHub says security teams can route, filter and report on findings without maintaining their own mapping of detector types. Default detections cover provider patterns and custom patterns, while generic detections include generic patterns and AI-detected secrets.

GitHub is also changing how enterprise public monitoring alerts are presented. New insight cards at the top of the alert list show how leaks were attributed, including member activity and verified-domain matches, along with the enterprise member count and verified domains. That gives incident responders a faster way to separate leaks tied to current account activity from exposure associated with corporate email domains.

The update is incremental rather than a single headline feature, but it reflects a broader shift in developer security tools: credential detection is moving from passive notification toward earlier blocking, richer alert metadata and workflow-ready triage data.

Sources

Cover photo by Tibe De Kort on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...