Secret scanning: public leak locations and alert de-duplication across an organization or enterprise - feedback

[erinhav]

What do you think about secret scanning's new public leak and multi-repo indicators?

Public leak locations and duplicate alerts

To help you triage and remediate secret leaks more effectively, GitHub secret scanning now indicates if a secret detected in your repository has also leaked publicly with a public leak label on the alert. The alert also indicates if the secret was exposed in other repositories across your organization or enterprise with a multi-repo label.

These labels provide additional understanding into the distribution of an exposed secret, while also making it easier to assess an alert’s risk and urgency. For example, a secret which has a known associated exposure in a public location has a higher likelihood of exploitation. Detection of public leaks is only currently supported for provider-based patterns.

The multi-repo label makes it easier to de-duplicate alerts and is supported for all secret types, including custom patterns. Both indicators apply only for newly created alerts.

Exact locations, REST API, webhook support

Coming next: you'll be able to view exact locations of known public leaks for a secret scanning alert, as well as any repository names with duplicate alerts across your organization or enterprise. Public leak and multi-repo labels will also be surfaced via the REST API and webhooks.

📖 Helpful information and some friendly reminders:

Learn more about the feature via product documentation. Let us know what you think by signing up for a 60 minute feedback session or commenting below -- we're listening!

[Lashaats]

GitHub's secret scanning now tells you if a leaked secret is public or found in multiple repositories. This helps you quickly understand the risk. Soon, you’ll also be able to see exact leak locations and get API support for easier management.

[magmanu]

This is a very useful feature, thanks!
Could I suggest further enhancements, please?

• Public leaks are critical vulns and should scream in the security dashboard 😆 A simple red counter banner/tag on the Secret scanning tile shown at the dashboards security/risk and security/metrics/secret-scanning could suffice though. Currently, afaik, we only become aware of public leaks by actively looking for them using a GUI filter or some in-house automation.
• Push an email to security managers about public leaks as soon as they are identified, so remediation happens asap.
• currently, the default list of security alerts in security/alerts/secret-scanning is sorted by recency. I'd suggest that it prioritises secrets with the tag public leak by default and show them at the top of the list, regardless of when they were discovered. Otherwise, public leaks might get lost among other non-critical alerts that haven't been handled yet.

---

I also have another feat request, tangentially related to the current topic: secret criticality.

It would be handy to attach criticality levels to secret alerts. Of course committed secrets are always bad, but not all alerts are the same. There are public leaked secrets, experimental secrets, confirmed active secrets, secrets with unknown validity, critical services secrets (e.g., stripe_api_key), less important service secrets (e.g. wakatime_api_key)... They don't all carry the same weight, and it would be helpful if the alerts reflected that. If alerts can be easily and quickly prioritised by criticality, everyone's job could get a little easier.

If critically becomes a feat, I'd also request to allow us to set custom criticality levels, so we can fine-tune them by secret type, repository metadata, public leak status, validity or whatever's our heart desire. Some use cases from the top of my head: a Wakatime alert can be low by default; any secret in my crown jewel repos are critical by default, secrets with unknown validity will score lower than active secrets. Of course this could be set via GUI, but a REST endpoint would be great to automate these evaluations. Thank you!