Secrets are one of the biggest blind spots in software development. When a secret is exposed, it’s fully exposed—there’s no in-between. A single leaked API key, exposed token, or hardcoded password can lead to catastrophic breaches. It’s no surprise that GitHub is launching its new Secret Risk Assessment,—secrets security is a center-stage concern.

At GitGuardian, we welcome this initiative. Secret Security deserves the spotlight. We’ve been leading this charge for years. We’ve been providing comprehensive secrets security, addressing both public and internal risks for the largest companies in the world. While GitHub’s latest move is a step in the right direction, organizations need a more comprehensive and enterprise-ready approach to keep their secrets safe.

You can start to experience that difference with GitGuardian’s Secrets Risk Assessment.

GitHub's Secret Risk Assessment: A Partial View of a Larger Problem


GitHub Advanced Security (GHAS) was recently restructured into two modules:

  • GitHub Code Security (for static analysis and software composition analysis)
  • GitHub Secret Protection (focused on detecting secrets in repositories)

This separation signals how crucial secret security has become. To encourage adoption, GitHub has also introduced a Secret Risk Assessment—a one-time scan for all paid plans to help users identify some exposed secrets and enable protection.

It’s a positive step, but GitHub’s assessment primarily scans GitHub repositories within the organization, missing two major sources of leaks: first, developers’ personal repositories, and second, other data sources such as Slack, Jira, and other collaboration tools, which are often overlooked sources of secrets.

💡
According to our research, 80% of corporate leaks on public GitHub occur in personal repositories, making it critical to monitor beyond the organization’s known perimeter.
💡
38% of incidents in collaboration tools are classified as highly critical or urgent, a higher proportion than in code repositories. The overlap between secrets exposed in code repositories and those found in collaboration tools is minimal, with only 7% appearing in both.
GitHub's Secret Risk Assessment

GitGuardian understands the need for a comprehensive view of your secrets' security posture. To provide clarity and enable a focused approach, we offer dashboards for internal and public risks. This allows you to:

Gain a clearer understanding: By separating these distinct risk areas, you can more easily digest the information and prioritize your security efforts. Public risks are far more time-sensitive and often addressed by a SOC team.

Focus on specific areas of concern: Internal and public risks often require different remediation strategies and may be relevant to different teams within your organization.

Gain Visibility into Public Exposures

💡
New secrets detected in public GitHub commits increased by 25% in 2024. GitGuardian scanned 69.6M public repositories, and at least 4.61% contained a secret.
Source: The State of Secrets Sprawl 2025

 

GitGuardian’s Public Risk Assessment

GitGuardian’s Public Risk assessment delivers a real-time, laser-focused view of your company's secrets leaking on public GitHub. We leverage our unique 6-year knowledge base of publicly exposed secrets to give you the edge in protecting your assets.

Here’s what you get:

See your public exposure:

  • Get analytics on your company’s public GitHub footprint.
  • View the number of leaked secrets tied to your organization.
  • Analyze the breakdown of detected secret types.

Deep dive into your risk profile:

  • Analytics on developer activity, showing how many developers are linked to your organization.
  • Number of commits scanned, giving you insight into the scale of risk.
  • Detected secrets timeline, so you can track exposure over time.
  • Severity breakdown, identifying critical leaks like cloud credentials and database passwords.
  • Valid secrets

Investigate and take action:

  • View a curated list of high-impact leaks detected in public repositories.
  • Use the same remediation tools available in the GitGuardian platform, including commenting on incidents, severity classification, and incident-sharing capabilities.
  • Other detected leaks remain hidden, with the option to contact us for full access to your company’s complete exposure.

This free assessment is designed to help organizations immediately understand their public secrets risks and transition into the full GitGuardian experience

Get My Secret Risk Assessment 

Gain Visibility into Internal Exposures


GitGuardian’s internal risk analytics provide a comprehensive view of secrets exposure within your organization's systems and workflows.

For organizations that want to go beyond the public risk assessment, you can get:

Unmatched coverage: While GitHub Secrets Scanning primarily focuses on secrets within its own repositories, GitGuardian, on the other hand, scans all your source code management tools (GitHub, GitLab, Bitbucket, and more) and other critical data sources such as Slack, Jira, and Teams. In today's enterprise environment, code lives everywhere, and your security should too.  

Deeper detection: GitGuardian is built for enterprise-grade security and specializes in detecting a wider range of secrets, including database credentials, private keys, and cloud access tokens. Our advanced detection algorithms allow us to detect both specific and generic secrets while minimizing false positives, ensuring only real threats are flagged.

Faster remediation: Finding a secret is just the first step—fixing it quickly is what matters. GitGuardian provides clear remediation guidance and automated workflows to help developers secure their secrets without rewriting entire commit histories. Our Push-to-Vault feature even helps organizations safely insert unvaulted secrets where they belong.

Ready to See for Yourself?


GitGuardian has a proven track record of helping enterprise organizations secure their secrets. If you're serious about protecting your secrets and NHIs (Non-Human Identities), it's time to explore a solution that goes beyond the basics. Start with our free Secrets Risks Assessment and then discover the full power of our platform.

FAQ

What is GitHub secret risk assessment?

GitHub Secret Risk Assessment is a security feature provided by GitHub that offers organizations a one-time scan of their GitHub repositories to identify exposed secrets such as API keys, tokens, and passwords. It is part of GitHub Advanced Security and helps organizations detect and begin fixing secrets exposure risks within their codebases. The scan focuses on repositories owned by the organization and is available to all paid GitHub plans.

How do I access GitHub secret risk assessment?

GitHub Secret Risk Assessment is available to organizations on paid GitHub plans. It can be accessed via the GitHub user interface, typically within the organization's security or secrets management settings. The assessment is a one-time scan, and after running it, organizations are encouraged to enable ongoing secret scanning for continuous protection.

What are the KPIs of github secret risk assessment?

Key Performance Indicators (KPIs) for GitHub Secret Risk Assessment include: the number of detected secrets, breakdown by secret type (such as API keys or database passwords), repository coverage (number and percentage of repositories scanned), severity classification of exposures, timeline of detected exposures, and remediation status (how many secrets have been resolved versus still exposed).

What are the limits of GitHub secret risk assessment?

GitHub Secret Risk Assessment only scans organization-owned GitHub repositories and does not cover developers’ personal repositories or external data sources like Slack, Jira, or Teams. It is a one-time scan unless ongoing secret scanning is enabled and may not detect all types of secrets, especially those outside GitHub. The assessment provides limited remediation features compared to dedicated secrets management platforms and may not meet the needs of large enterprises requiring multi-source, cross-platform coverage.