GitHub Expands Secret Scanning to the Entire Public GitHub Surface for Enterprise Users
GitHub is introducing public monitoring for enterprises within Secret Protection: it scans all of github.com in real time, attributes leaked secrets back to organizations, and covers PR comments and Issues — at no additional charge.
This article was generated using artificial intelligence from primary sources.
GitHub announced on July 1, 2026 a significant expansion of its secret scanning system for enterprise users: public monitoring that tracks the entire public surface of github.com and in real time attributes discovered leaked secrets back to organizations. The feature arrives at no additional charge for users with a GitHub Secret Protection subscription.
What Problem Does This Solve?
Traditional GitHub secret scanning protected repositories that an organization directly owns. But secrets (API keys, tokens, passwords) often leak in contexts outside that perimeter: personal forks belonging to employees, open-source projects where contributors participate as private individuals, or even comments in Issues and pull requests on completely unrelated repositories.
This is exactly where the blind spot arises: an organization does not know that someone’s work API key ended up in a public comment somewhere on GitHub — until a malicious actor notices it first.
How Public Monitoring Works
The new feature scans git content, pull request comments, and GitHub Issues — everything that is publicly visible on the platform, not just the organization’s own repositories. When the system detects a secret it must attribute it to an organization. For this it uses two methods.
Is Member-Based Attribution Reliable Enough?
Member-based attribution works by checking whether the GitHub account that committed the content is a registered member of the enterprise organization. This covers “managed accounts and known members,” as GitHub describes it. The method is precise but has a limitation: it does not catch employees who appear on GitHub under private accounts not linked to the organization.
That is where the second method comes in: verified domain matching. The system compares the committer’s email address against the domains the organization has verified in GitHub settings. If an employee commits with their work email address from a personal GitHub account, the finding is still attributed to the organization — even without a formal membership link. Each finding shows which of the two methods was used, the secret type, the public location, and committer information.
No Configuration, No Waiting
Setup is minimalist: enterprise owners and security managers enable the feature through the Security tab in organization settings. No additional configuration is needed — recent leaked findings are immediately visible and continuous monitoring begins right after activation. GitHub does not require installation of additional tools or integration with external systems.
No Additional Charge
This is a significant point: public monitoring is included in the existing GitHub Secret Protection subscription at no extra cost. For organizations already using Secret Protection, this is an upgrade that expands coverage without changing costs.
What This Means for Security Teams
For security and DevSecOps teams, this change fills a concrete gap in visibility. Instead of reactive discovery — when a user or external researcher reports a problem — organizations gain proactive monitoring that tracks the public surface of the entire platform.
Particularly valuable is the attribution that works even for informally linked accounts. An employee who forgets they are using their work email on a private GitHub profile, and accidentally commits a secret key in a personal project, no longer stays under the radar. The organization receives a real-time finding, with the detection method clearly labeled and all metadata needed for a rapid response.
For organizations operating in regulated industries or handling sensitive client data, this level of coverage is becoming less of a nice-to-have and more of a standard minimum.
Frequently Asked Questions
- What exactly is new in GitHub secret scanning for enterprise?
- GitHub now monitors the entire public surface of github.com — including git content, pull request comments, and GitHub Issues — and in real time attributes detected secrets back to enterprise organizations via two mechanisms: member-based attribution and verified domain matching.
- How does GitHub know which organization a leaked secret belongs to?
- It uses two methods: member-based (the committer's GitHub account is a registered member of the enterprise) and verified domain matching (the committer's email matches a domain the organization has verified, even if the account is not formally linked to the enterprise).
- What is the cost of this new feature?
- There is no additional charge — it is included in the existing GitHub Secret Protection subscription.
Related news
MARS: Textual Refusal Directions Protect Multimodal AI Models Without Additional Training
LangChain: How to Run Untrusted Agent Code Without an External Sandbox
arXiv:2606.28270: Agent-Native Immune System — Six-Layer Runtime Defense Built Into AI Agent Reasoning