[nomercy400]

Wait, what?

So any string (which Github deems an access token) is forwarded to Tencent?

Or will Tencent share all their current access tokens with github?

[AlbertVAustin]

Any string that matches access token regexp provided by Tencent (see https://docs.github.com/en/developers/overview/secret-scanni...).

[Pathogen-David]

For public repositories only though. For private repos it's optional, and when enabled the repo admins get an alert to handle it themselves without it going to the vendor.

[plugin-baby]

    .*

;-)

[ilyt]

So it is just one bad regexp away from sending them other companies secrets

[mukesh610]

I don't see what your comment is trying to point out.

The same could be said for all the other Secret Scanning partners GitHub has, like AWS and so on.

That being said, it's impossible that a "bad regexp" is gonna make its way to the GitHub codebase.

[kredd]

You can already do the former by using GitHub Events API. This simply helps with the accidental leak of tokens into the public, so Tencent / Repo owner can revoke it before it gets abused. https://docs.github.com/en/rest/activity/events?apiVersion=2...