Supply Chain Security
GitHub secret scanning
When credentials like API keys are committed to repositories as hardcoded secrets, they become targets for unauthorized access. GitHub secret scanning automatically detects credential leaks so that you can secure them before they're exploited.
Cloudsmith is a member of the GitHub secret scanning partner program. This means that Cloudsmith-issued API keys are uniquely identifiable, and GitHub can detect them automatically when they appear in a repository.
See the GitHub documentation for more information about secret scanning and supported secret scanning patterns.
How it works
Cloudsmith issues API keys with a unique prefix. That prefix is registered with GitHub's secret scanning infrastructure, so if a Cloudsmith API key appears in a repository, GitHub detects and flags it automatically.
If an API key is leaked:
- GitHub detects the leaked credential and notifies Cloudsmith via a registered webhook.
- Cloudsmith notifies the affected user and workspace owners via email, so that they can rotate the key immediately.
For information about refreshing your personal Cloudsmith API key, see Refreshing a Personal/User API Key.
Note
Secret scanning runs automatically on public repositories for free. For information about GitHub secret scanning for private repositories, see GitHub Docs: Secret scanning - How can I access this feature?.