GitHub has taken a significant step to enhance the security of its platform by introducing free and targeted advanced secret scanning features for developers. This update aims to prevent the exposure of sensitive information, such as API keys and credentials, which has been a persistent challenge for users of the cloud-based version-control platform.

Last year, over 39 million API keys, credentials, and other secrets were leaked onto GitHub's platform, highlighting the need for more robust security measures. While some of these breaches occur accidentally, many are the result of well-meaning developers sharing secrets without realizing the risks. GitHub's updated Advanced Security product, GHAS, is designed to help developers avoid making such mistakes.

The GHAS 3.18 update includes a new point-in-time scan that allows developers to identify exposed secrets in their organizational code, along with a secret risk assessment. This feature is available for free within the GHAS dashboard and provides insights into secrets leaked per type, publicly visible secrets in public repositories, and affected repositories for each secret type. The scan results can be downloaded as a CSV file for further analysis.

In addition to the new secret scanning feature, GitHub has also unbundled its GHAS offerings to make advanced secrets and code scanning more accessible to organizations of all sizes. The company has introduced standalone Secret Protection and Code Security subscriptions, enabling development teams at smaller organizations to scale security quickly and affordably.

Existing GHAS subscribers will have the option to transition to the new plans at renewal, while customers with pay-as-you-go or metered-based plans can transition at any time. This move is part of GitHub's ongoing effort to help organizations of all sizes protect themselves from the risk of exposed secrets.

Notably, Team subscribers have been upgraded to access GHAS, a feature previously exclusive to premium Enterprise customers. This upgrade includes the "push protection" feature, which detects and blocks commits with secrets. GitHub enabled this feature by default for all Enterprise customers in February 2024, with an option to bypass it for a code block.

The GitHub platform, which helps developers collaborate, manage, and track changes in their code, operates on a tiered pricing model that charges subscribers based on usage, organizational size, and storage requirements. The different monthly plans are Free ($0), Team ($4), and Enterprise ($21). By making advanced security features more accessible, GitHub aims to promote a culture of security among its users and protect organizations from the risks associated with exposed secrets.

This update is a significant step forward in GitHub's efforts to enhance the security of its platform and protect its users from the risks of exposed secrets. As the platform continues to evolve, it is likely that we will see further innovations in security and risk management, ultimately benefiting the entire developer community.