GitHub’s secret scanning journey: From 20,000 alerts to zero

GitHub once faced a daunting security challenge: more than 20,000 exposed secrets lurking across its 15,000-plus repositories. The company turned to its own secret scanning tool to tackle the issue, systematically identifying, assessing, and remediating the risks. Nine months later, GitHub reached zero open alerts—proving that even complex security problems can be solved with the right strategy.
A closer look at the problem—and the noise
Not all alerts were equally urgent. Five repositories alone accounted for 18,000 alerts, but most were inactive test credentials or fake tokens used in development. That left roughly 2,000 alerts requiring real attention—live credentials and decisions about risk, rotation, and remediation. The challenge extended beyond code: secrets were also found in support tickets, bug bounty reports, incident notes, and internal wiki pages. To address this, GitHub collaborated with customer support, security incident response, and its bug bounty program to create shared playbooks and avoid accidentally reintroducing exposed secrets during cleanup.
From reactive to systematic: GitHub’s phased approach
GitHub didn’t tackle the backlog manually. Instead, it treated secret remediation like any operational task: stop new debt first, then work down existing issues with a repeatable, measurable workflow. The first phase involved enabling secret scanning and push protection across all enterprises and organizations—no small feat across 15,000 repositories. Using GitHub Advanced Security’s organization-level settings, the company enforced protections at scale, preventing new secrets from being added while systematically addressing the backlog. The result was a structured, scalable process that reduced reliance on individual institutional knowledge and made security improvements sustainable over time.
GitHub’s experience highlights a key insight for organizations: cleaning up secrets isn’t just about finding them—it’s about building processes that prevent reoccurrence. By integrating security into existing workflows and leveraging automation, companies can move from reactive firefighting to proactive risk reduction.
Source: GitHub Blog. AI-assisted editorial synthesis — TechnoExpress.

