Automatically detect leaked credentials with Cloudsmith and GitHub
When a Cloudsmith API key is accidentally exposed in a repository, you're notified immediately and can revoke or rotate it. Stop misuse before it starts.
How we support GitHub Secret Scanning
Why teams integrate Cloudsmith with GitHub Secret Scanning
Frequently asked questions
GitHub scans repositories for known secret formats to prevent fraudulent use of credentials that were committed accidentally. We've partnered with GitHub so that our secret formats are included in their secret scanning.
Cloudsmith issues all API keys with a unique, registered prefix. This prefix acts as a fingerprint that GitHub Secret Scanning uses to identify Cloudsmith credentials in commits, branches, and git history. Without a unique prefix, a key would be indistinguishable from arbitrary strings and could not be automatically detected.
When GitHub detects a match for a Cloudsmith key pattern, it immediately sends an alert payload to Cloudsmith. Cloudsmith validates the credential, notifies the affected account, and can automatically revoke or rotate the compromised key. The goal is to contain the exposure before any misuse can occur.
Not at this time. Today, Cloudsmith alerts users to exposed credentials so that the compromised key can be revoked, reducing response time from hours to minutes and limiting the window of potential abuse.
No additional configuration is required. The integration operates at the platform level. Cloudsmith keys are already uniquely prefixed and registered with GitHub. For public repositories, scanning is active by default. For private repositories, you need GitHub Secret Protection enabled on your GitHub plan.