User secrets generate secret scanning alerts when found in public or private repositories

Tue, Apr 14 · 5:19 PM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.

★ Tier-1 Source

Image accompanies the article at GitHub Blog. No description was extracted from the source.

In EMU enterprises, developers often fork organization repositories into their personal namespaces.

Key facts

Patterns that are not yet enabled by default remain configurable in your push protection settings for GitHub Secret Protection and GitHub Advanced Security customers
Providers and exclude_providers are mutually exclusive—using both returns a 422
GitHub’s AI-powered generic secret detection runs backfill scans across your repositories, but until now those scans didn’t show up in the scan history API
In EMU enterprises, developers often fork organization repositories into their personal namespaces

Summary

This week, they're rolling out several improvements to their detection coverage, APIs, and workflows. Forks for enterprise-managed users: User-owned forks in EMU enterprises now inherit push protection from their nearest licensed ancestor repository. Push protection defaults expanded: Figma, GCP, Langchain, OpenVSX, and PostHog patterns now block commits containing matching secrets by default. Set validity on custom pattern alerts via API: You can now mark custom pattern alerts as active or inactive directly through the PATCH endpoint. Team and Topic filters for secret scanning campaigns: Campaigns now support the same team and topic filter options as code scanning campaigns.

Read full article at GitHub Blog →