GitHub builds Copilot secret scanning to detect leaked passwords with AI
Regular expressions, while effective for detecting provider-formatted secrets, could not handle the nuanced and varied structures of generic passwords, generating excessive noise for security teams and developers.
An early iteration using GPT-3.5-Turbo with few-shot prompting worked in offline evaluation but failed for unconventional file types and structures encountered in actual customer repositories.
After iterative improvements, Copilot secret scanning reached general availability in October 2024, achieving up to a 94% reduction in false positives in some organizations, and is now detecting passwords on nearly 35% of all GitHub Secret Protection repositories.
Frequently asked questions
What did this team achieve with this AI workflow?
After iterative improvements, Copilot secret scanning reached general availability in October 2024, achieving up to a 94% reduction in false positives in some organizations, and is now detecting passwords on nearly 35…
What tools did this team use?
GitHub Copilot, GPT-3.5-Turbo, GPT-4, GPT-4-Turbo, GPT-4o-mini, MetaReflection.
What results were reported?
False positive reduction: 94%; GitHub Secret Protection repositories with password detection: nearly 35%; Detections and false positives: huge drop in detections and false positives (source-reported, not independently verified).
What failed first in this deployment?
An early iteration using GPT-3.5-Turbo with few-shot prompting worked in offline evaluation but failed for unconventional file types and structures encountered in actual customer repositories.
How is this compliance monitoring AI workflow structured?
Git push or history scan → LLM prompt construction → AI context analysis → Workload-aware capacity routing → Mirror testing validation → Security alert delivery.