I worked on this before leaving GitHub a couple of months ago. It’s awesome. This release is a repo-level setting, which is nice, but it will be even more useful when the team releases a user-level setting in June/July. That will allow you to configure GitHub to (softly) prevent you from pushing any easily identifiable secrets to any public repo. The plan is for it to be on by default.<p>For context, about 200 new GitHub personal access tokens (PATs) are exposed in public repos every day, together with many more tokens from other providers. GitHub automatically revokes the PATs it finds, and notifies many partners if/when keys to their services are found, but we always felt it would be better to prevent the leaks from happening in the first place.
I don't get it. If github declines the push then the blob must have already crossed the internet?<p>The message says to remove the secret from the commit but the actual action to take would be to rotate the secret since it's been exposed to github, no?
Nice move to protect public repos.<p>For all other private repos and internal git servers, you can assume that credentials are routinely exposed if there is no pre-receive hook checking for secrets. We experimented with all the existing tools but none of them worked well enough so we built our own. Looking back we would have saved ourselves a lot of time and effort if we went with commercial offering like GitGuardian instead.