GitHub rolls out new token scanning, security alert features

GitHub will automatically scan for access tokens in public code with its new beta. It's also launching an API for security advisories.
(Flickr user <a href="">Ben Nuttal</a>)

GitHub on Tuesday announced several new security features that aim to help developers stay on top of vulnerabilities and keep sensitive data, like access tokens, out of publicly available code.

“The security challenges that underpin software today are community problems—not just the burdens of individual CISOs, IT admins, and open source maintainers,” GitHub said in a blog post. “With the breadth of data and connections GitHub maintains as the leading software development platform, we have a responsibility to protect the community from cybersecurity threats and enhance security for all.”

The company announced the launch of the public beta of a token scanning feature. Security tokens are digital keys that allow individual users of a service to stay logged in. GitHub says it will scan people’s public repositories for token formats and notify the provider if it finds any. The scans will look out for tokens provided by Amazon Web Services, Microsoft Azure, GitHub, Google Cloud, Slack and Stripe.

Having access tokens visible on a public repository is problematic because it essentially allows anyone to gain unauthorized access to the corresponding account. This was highlighted last month when Facebook disclosed that a bug in the platform’s code that allowed hackers to steal access tokens.


Developers using GitHub may unknowingly put security tokens into public code, presenting a security risk for the accounts the tokens unlock. With the beta, if GitHub discovers publicly accessible tokens on its platform, it will notify the service provider of the token prompt the GitHub account owner to issue a new token.

GitHub also announced the Security Advisory API, which will aggregate information from security feeds and dependency updates across projects on its platform. GitHub already does issue security alerts for vulnerable dependencies, but the API is meant to make it easier for people to integrate security upgrades into their own projects.

The company is also extending the original security vulnerability alerts feature to Java and .NET code, where it only supported JavaScript, Ruby and Python before.

Zaid Shoorbajee

Written by Zaid Shoorbajee

Zaid Shoorbajee is an Editorial Fellow with Scoop News Group, parent of CyberScoop.

Latest Podcasts