---
title: "Cloudsmith joins GitHub Secret Scanning Partner Program"
description: "Cloudsmith is now part of the GitHub Secret Scanning Partner Program. When a Cloudsmith API key appears in a GitHub repository, GitHub detects it automatically and notifies the affected team so credentials can be revoked before they are misused."
canonical_url: "https://cloudsmith.com/blog/cloudsmith-credentials-are-now-detectable-by-github-secret-scanning"
last_updated: "2026-06-18T16:00:00.000Z"
---
# Cloudsmith joins GitHub Secret Scanning Partner Program

Leaked [API keys](https://docs.cloudsmith.com/policy-management/api-key-policy) are one of the most common and well-understood security failures in software development. A credential committed to a repo, copied into a script, or exposed in a CI log can sit undetected until abuse makes it visible. By then, the damage is done.

Cloudsmith is now a member of the GitHub Secret Scanning Partner Program. That means [Cloudsmith-issued API keys are uniquely identifiable](https://github.blog/changelog/2026-06-17-secret-scanning-updates-june-2026/), and GitHub can detect them automatically when they appear in a repository.

#### How it works

Cloudsmith issues API keys with a unique prefix. That prefix is registered with GitHub's secret scanning infrastructure, so when a Cloudsmith credential appears in a repo – in source code, a config file, a committed `.env`, or anywhere else GitHub indexes – GitHub detects and flags those credentials automatically.

When a leak happens, Cloudsmith notifies the affected customer directly. Teams can revoke or rotate the compromised key before it gets misused.

The workflow is straightforward: detection happens automatically, notification is immediate, and your team decides how to respond.

#### Why this matters for your team

The window between a credential leak and credential abuse is short and it closes fast. Automated scanners can pick up a key exposed in a pull request or pushed to a public repo within minutes. Discovering issues through billing anomalies or abuse reports put teams in a challenging position, and one they want to avoid. 

Automatic detection of leaked API keys changes that dynamic. When exposure triggers an immediate notification, the response begins before most incidents have a chance to develop.

This works inside the workflows your team already uses. There is no new tooling to adopt, or new configuration required on your end. GitHub-based teams get detection in place from the moment they issue their next Cloudsmith API key.



_See how Cloudsmith secures your software supply chain end to end. [Book a demo](https://cloudsmith.com/book-a-demo) to learn more._
