Automatically detect leaked credentials with Cloudsmith and GitHub

When a Cloudsmith API key is accidentally exposed in a repository, you're notified immediately and can revoke or rotate it. Stop misuse before it starts.

How we support GitHub Secret Scanning

Cloudsmith is an accepted partner in GitHub's Secret Scanning Partner Program. Every Cloudsmith API key is uniquely prefixed so GitHub can detect it automatically and route alerts directly back to Cloudsmith for immediate action.
    Uniquely identifiable credentials
    Every Cloudsmith API key is issued with a unique prefix, making it recognizable to GitHub Secret Scanning and other compatible scanners.
    Automatic detection in public repositories
    GitHub scans all public repositories for Cloudsmith key patterns by default, with no configuration required on your side.
    Real-time exposure notifications
    When a Cloudsmith credential is detected in a commit, your team is notified immediately so you can act before misuse occurs.
    GitHub Secret Scanning Partner Program membership
    Cloudsmith is an official partner in GitHub's Secret Scanning Partner Program, meaning Cloudsmith key patterns are maintained and recognized natively within GitHub's scanning engine.

Why teams integrate Cloudsmith with GitHub Secret Scanning

Leaked API keys are one of the most common and damaging security failures in fast-moving engineering teams. Cloudsmith's participation in the GitHub Secret Scanning Program shifts your response from reactive cleanup to early detection and remediation.
Without IntegrationA developer accidentally commits a Cloudsmith API key to a repository. There is no signal that anything is wrong, and the exposure goes undetected until abuse or an external report surfaces it days or weeks later.
With IntegrationGitHub Secret Scanning detects the Cloudsmith key the moment the commit is pushed to a public repository. Cloudsmith notifies your team so you can revoke it.
Without IntegrationWhen a leak is eventually discovered, teams face a stressful, manual rotation process: identify the affected key, revoke it, update every service that depends on it, and audit for any abuse that may have taken place.
With IntegrationSecrets detection means that potential incidents can be quickly contained. You're able to revoke or rotate keys as soon as you're alerted to the leak.
Without IntegrationTeams lack confidence that every exposed credential will be caught. Low-visibility leaks create a persistent background risk that limits how freely engineers can use Cloudsmith credentials in production automation.
With IntegrationWith Cloudsmith's uniquely prefixed keys recognized natively by GitHub Secret Scanning, your team gains high confidence that any accidental exposure in GitHub will be caught and handled.

Frequently asked questions

  1. GitHub scans repositories for known secret formats to prevent fraudulent use of credentials that were committed accidentally. We've partnered with GitHub so that our secret formats are included in their secret scanning.

  2. Cloudsmith issues all API keys with a unique, registered prefix. This prefix acts as a fingerprint that GitHub Secret Scanning uses to identify Cloudsmith credentials in commits, branches, and git history. Without a unique prefix, a key would be indistinguishable from arbitrary strings and could not be automatically detected.

  3. When GitHub detects a match for a Cloudsmith key pattern, it immediately sends an alert payload to Cloudsmith. Cloudsmith validates the credential, notifies the affected account, and can automatically revoke or rotate the compromised key. The goal is to contain the exposure before any misuse can occur.

  4. Not at this time. Today, Cloudsmith alerts users to exposed credentials so that the compromised key can be revoked, reducing response time from hours to minutes and limiting the window of potential abuse.

  5. No additional configuration is required. The integration operates at the platform level. Cloudsmith keys are already uniquely prefixed and registered with GitHub. For public repositories, scanning is active by default. For private repositories, you need GitHub Secret Protection enabled on your GitHub plan.

Integrations

Discover more Cloudsmith Integrations