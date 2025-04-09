Buildkite has joined the the GitHub Secret Scanning Program to enhance security for your API tokens. This program helps detect and alert us when a Buildkite API access token is leaked in a public GitHub repository.

What happens when a token is detected:

For tokens found in public repositories or npm packages : GitHub immediately notifies Buildkite, and we automatically revoke the affected token to prevent unauthorized access. The token owner and organization admins receive notifications about the incident.

For tokens found in private repositories with secret scanning enabled: Repository admins and the committer are alerted directly through GitHub's interface, where they can view and manage the detected secrets.

FAQ's

Do I need to enable anything to get this protection?

For public repositories, protection is automatic with no configuration needed.

For private repositories, repository administrators need to enable GitHub Secret Scanning.

What types of Buildkite tokens are protected?

Currently, only Buildkite API access tokens

How will I be notified if my token is revoked?

The owner of the token and the admins of the associated organization will receive an email from Buildkite.

What should I do if I receive a notification about a leaked token?