Done - thanks!

I too would like to know.

> We have a partnership with AWS (and many other token issuers) that handles this really nicely. If anything that looks like an AWS credential is committed to a public repo we send it over to AWS - if it's a real token they notify the token's owner (and in some cases automatically revoke the key).

So if something looks like a token from AWS or another token issuer, you automatically send the token to providers to check to see if it is "legit"? Is this something that is opt-in, or done automatically?

I don't really see what the problem with this would be.

I'm assuming AWS does not give a "yeah looks like it", or "nah" response -- but rather "thanks, we will look into it" and then if it's a real one the rest is directly with their customer.

That way no sensitive information would leak between the providers

That's exactly the process - there are full docs at the link below, and we're always keen to hear from potential partners.

Please also note that we only automatically send details from _public_ repos to our secret scanning partners.

https://developer.github.com/partnerships/secret-scanning/

If your keys are public they are free to anyone who wants it. They are also sending aws specific keys to amazon.

Yes and no. I'm personally not so much worried about the keys, but whatever detection they are doing to send what they "think" might be a token/key/etc. And just because a key is public, doesn't mean that it is going to be automatically sent to a third-party.

If you accidentally upload a key, but then immediately notice and force push, you're already too late since GitHub took the initiative to share that. I get that the user would be at fault here ultimately, but that doesn't mean that GitHub should be working against the user in sharing that.

What if it isn't an AWS token, but instead an encryption key or SSH key that you have blocked off to the public so you're not too worried about it but you're a warehouse worker protesting COVID-19 treatment. Now Jeff Bezos will be looking for dirt on you like you're Michael Sanchez.

If they made the detection information public then it would at least provide some transparency to see what they determine to be AWS-specific.

> And just because a key is public, doesn't mean that it is going to be automatically sent to a third-party.

In practice, it pretty much does - bad actors continuously scrape the GitHub firehose looking for AWS secrets, and then automatically spin up EC2 instances to mine cryptocurrency. GitHub's token scanning just ensures that AWS sees the tokens too.

If you don't believe me, keep this website open for a few hours - it's a realtime stream of secrets scraped from GitHub: https://shhgit.darkport.co.uk/

> SSH key that you have blocked off to the public so you're not too worried about it

How do you "block off to the public" something committed to a public GitHub repository? The OP specifically said this was for public repositories.

If GitHub weren't doing this, I imagine the AWS security people would be crawling GitHub on their own, to cut down on security incidents. This push mechanism just makes it more efficient for both GitHub and AWS.

If Amazon is looking for dirt on you, and you have public repositories, you can bet they'll be looking deeper into your repositories than a quick credential scan.

> How do you "block off to the public" something committed to a public GitHub repository? The OP specifically said this was for public repositories.

Pretty simple actually. If your AWS services are internal only, then you may not be in a rush to change keys to a service that isn't exposed.

So instead of "SSH key that you have blocked off to the public", you meant "SSH key for an SSH server blocked off from the public". That makes more sense.