How GitHub’s Push Protection Stops Secret Leaks in Public Repos

GitHub, the world’s largest code‑hosting platform, has faced numerous security incidents such as leaked API tokens and OAuth credentials across millions of repositories.

A 2019 study by North Carolina State University scanned 13 % of public GitHub repositories—billions of files—and found over 100 000 repositories exposing API tokens and encryption keys, with thousands of new leaks appearing daily.

In response, GitHub released the general‑availability version of its Push Protection feature (originally previewed in April 2022 for GitHub Advanced Security users). The service automatically blocks the exposure of sensitive data such as API keys, private keys, secret keys, authentication tokens, and certificates in all public repositories, and it is offered for free.

Push Protection scans for 69 token types with a low false‑positive rate. When a secret is detected, developers receive an in‑IDE or command‑line warning that includes the secret type, location, and remediation steps, ensuring the secret is never exposed.

Since the beta launch, enabled developers have prevented roughly 17 000 accidental secret disclosures, saving over 95 000 hours of remediation work.

Organizations with GitHub Advanced Security can enable secret scanning and push protection at the organization level via Settings → Security → Code security and analysis, then turning on “Push protection” (or “Automatically enable for private repositories”). Individual repositories can also enable the feature through their Settings → Security and analysis → GitHub Advanced Security dialog.

For more details, see the official GitHub announcement.