Find leaked company secrets outside your repos with GitHub public monitoring
GitHub public monitoring for secret scanning is now in public preview for eligible enterprises, helping security teams find company-linked secrets exposed across public GitHub content beyond repositories they own.
GitHub public monitoring for secret scanning is confirmed and in public preview. It lets eligible GitHub Enterprise Cloud customers detect secrets exposed across public GitHub content and attribute them back to an enterprise through membership, verified domains, and platform metadata.

What changed
GitHub announced public monitoring for enterprises with GitHub Secret Protection or GitHub Advanced Security. The feature scans public GitHub surfaces, including git content, issues, pull requests, and comments, then attributes matching secrets to an enterprise when the committer is an enterprise member or uses a verified enterprise domain.
GitHub says public monitoring does not scan private repositories. It surfaces secrets that are already public so security teams can revoke exposed credentials before misuse, and enterprise owners or security managers can enable it from the enterprise Security tab.
Why this is early
This is a public preview, not a general-availability release. GitHub's changelog and documentation confirm the feature and eligibility, while broader secrets-sprawl research from GitGuardian explains why public credential exposure remains a live operational risk.
The important caveat: the external source supports the security problem, not hidden GitHub product behavior. For product details, rely on GitHub's own docs.
Key takeaways
- Enable public monitoring if your enterprise has GitHub Secret Protection or Advanced Security and meets the current eligibility rules.
- Treat alerts as incident-response triggers: validate, revoke, rotate, and remove public references.
- Use verified domains to catch work-email leaks from personal accounts.
- Do not assume this covers private repositories or non-GitHub platforms.
- Pair it with push protection, provider revocation, and developer training.
| Surface | What public monitoring sees | Why it matters | Limit |
|---|---|---|---|
| Public repositories | Git content linked to enterprise members or domains | Catches personal fork and OSS leaks | Public GitHub only |
| Issues and PRs | Secrets pasted into public collaboration threads | Finds non-code exposures | Attribution depends on metadata |
| Enterprise security overview | Centralized alert view | Gives security teams a response queue | Enterprise-level feature |
| Private repositories | Not scanned by this feature | Keeps scope bounded | Use normal secret scanning |
Availability and access
Public monitoring is available in public preview for GitHub Enterprise Cloud customers with GitHub Secret Protection or GitHub Advanced Security. GitHub's documentation says it is not available for Enterprise Cloud with data residency at the time of writing.
The feature is enabled at the enterprise level. Enterprise owners and security managers can view alerts in Security overview after enablement, with findings attributed through enterprise membership and verified domain matching.
Practical LinkLoot angle
This is a useful security control for teams whose developers contribute to open source, use personal forks, or paste debugging material into public issues. It closes a common blind spot: secrets connected to the company but leaked outside company-owned repositories.
If your automation stack uses many API tokens, connect this with your workflow inventory. LinkLoot's AI workflow automation guide is a good place to spot where keys, bots, and service accounts need rotation discipline.
What to verify before you act
- Confirm your GitHub plan includes Secret Protection or Advanced Security.
- Verify whether Enterprise Cloud data residency affects your rollout.
- Check that enterprise domains are verified and current.
- Define a response path for revoke, rotate, owner notification, and audit trail.
- Test whether alerts reach the team that can actually rotate the affected credential.
Source check
Confirmed by: GitHub's July 1 changelog and GitHub Enterprise Cloud documentation for public monitoring.
External context: GitGuardian's secrets-sprawl reporting supports the risk case for public credential monitoring. It is not used as a source for GitHub-specific feature claims.
It detects secrets leaked in public GitHub content and attributes them to an eligible enterprise.
