Octopus will automatically invalidate exposed API keys detected by secret scanning partners starting in 2026. This enhancement strengthens our security posture and protects your deployments from unauthorized access.
We have been a GitHub secret scanning partner since 2022. This partnership has helped protect everyone by identifying Octopus API keys that were accidentally committed to public repositories. When GitHub detects an exposed key, it forwards the information to us, and we notify the affected user via email.
While notifications allow users to rotate compromised keys, this still leaves a window of vulnerability. An attacker could exploit an exposed key before the owner receives the notification and takes action. Starting in 2026, we will automatically invalidate these API keys. This will reduce the window for attackers, but it will cause disruptions for those with the exposed API keys.
What this means for you in 2026 onwards
If one of your API keys is detected in a public repository, here’s what will happen:
- Our secret scanning partner detects the exposed key and notifies us.
- We automatically invalidate the key to prevent unauthorized use.
- You receive an email notification explaining what happened and how to create a new key.
- The invalidated key will no longer work for any API calls or deployments. You’ll need to create a replacement key and update any automation or integrations that were using the old key.
How can I best prevent exposing my API keys in Git?
Octopus supports OIDC with GitHub Actions, which eliminates the need to keep Octopus API keys entirely. API keys cannot be exposed to Git if they don’t exist in the first place!
Tags:
