GitHub launched public monitoring for enterprise secret scanning on July 1 — a feature that watches every public repository, pull request, issue, and discussion on github.com for credentials belonging to your organization. It costs nothing extra for Enterprise Cloud customers with Secret Protection or Advanced Security enabled. It is off by default. Most security teams have not enabled it yet.
Push Protection and Public Monitoring Are Not the Same Thing
This matters because they cover different failure modes. Push protection blocks secrets before they reach GitHub — it intercepts commits at the developer machine and flags credentials before they land in your organization repositories. It works well for what it covers.
Public monitoring handles a different scenario entirely: the secret that already escaped. A developer committing to a personal fork, contributing to an open source project with their work credentials, or pasting an API key into a public issue completely bypasses push protection. None of those actions touch your organization repositories. All of them expose your credentials to the public internet.
Public monitoring scans all of github.com in real time — not just your repos — and attributes any found credential back to your enterprise. If one of your developers leaks a company API key to a public repository outside your organization ownership, you will find out about it before an attacker does. That is the gap this feature closes.
The Scale of the Problem
28.65 million hardcoded secrets were added to public GitHub commits in 2025 — a 34% year-over-year increase and the largest single-year jump on record, according to GitGuardian 2026 State of Secrets Sprawl report. AI service credentials surged 81% as developers connected more LLM infrastructure to their codebases. MCP configuration files alone exposed 24,008 unique secrets across public GitHub in 2025 — a new attack surface that barely existed twelve months ago.
What makes the remediation picture worse: 64% of credentials confirmed as valid in 2022 are still active and exploitable today. Secrets do not expire on their own. They sit in public commit history and wait.
How Attribution Works
GitHub uses two heuristics to tie a public finding back to your enterprise:
- Member-based attribution covers accounts formally enrolled in your enterprise — the managed accounts you already have visibility into.
- Verified domain matching covers personal accounts using a company email address, even when that account is not linked to your enterprise at all.
The second heuristic is the one that matters most. A developer who maintains open source projects on a personal GitHub account, commits to public repos outside working hours, or uses their work email on a side project is covered by domain matching. Security teams that only monitor managed accounts are missing this entire category of exposure.
Each alert shows which attribution method triggered it, the secret type, the public location (file, issue, PR, or discussion), and the committer identity — enough information to triage and act immediately.
How to Enable It
Enterprise owners activate public monitoring from the Security tab in enterprise settings. One toggle, no additional configuration. Once enabled, GitHub surfaces recently leaked secrets matching your enterprise and monitors in real time going forward. The feature is available to GitHub Enterprise Cloud customers with Secret Protection or Advanced Security at no additional cost. Data residency support is listed as coming soon.
The full announcement is on the GitHub Changelog.
What to Do With a Finding
Revoke the credential immediately. Do not wait to investigate the blast radius first. An active credential on the public internet has already failed — the question is only whether someone has found it yet. GitHub validity checking filters out test fixtures and deactivated tokens before surfacing an alert, so by the time a finding reaches your security tab, it is live and it is exposed.
After revocation, rotate the credential, audit access logs for the period the secret was public, and open a post-mortem on how it escaped. GitHub secret scanning documentation covers the remediation flow in detail.
One Free Feature, One Real Gap Closed
GitGuardian has offered platform-wide public GitHub monitoring as a paid product for years. GitHub building it natively into Enterprise Cloud at no additional cost is a meaningful shift — not a replacement for a dedicated secrets management platform, but a significant baseline for teams that do not have one. If your organization is on Enterprise Cloud and has not enabled this, you are leaving a capability unused that costs nothing and covers a real attack surface.
Push protection stays your first line of defense. Public monitoring is what catches what gets through.













