GitHub and Microsoft Collaborate to Reduce Scanning False Positives by 75.76%

2026-06-12 11:26

Favorite

en.Wedoany.com Reported - GitHub has partnered with Microsoft Security & AI’s Agents Offense team to apply the verification methodology of Agentic Secret Finder, introducing more contextual reasoning into GitHub's secret scanning verification. This approach combines GitHub's large-scale detection pipeline with LLM-based contextual verification, ultimately reducing the false positive rate by 75.76%, exceeding the previously set target of 65%. During evaluation, the team tested the methodology against 1,500 customer-confirmed false positive alerts. Given the massive scale of GitHub's codebase, false positives in secret scanning alerts have long plagued developers, with an excess of low-value alerts undermining system credibility.

Flowchart showing GitHub's existing verification steps enhanced with context-aware reasoning to improve precision change detection

While traditional pattern-matching detection can identify secret-like strings, it struggles to distinguish between actual exposures and values that merely appear sensitive. To address this challenge, the team did not simply increase the volume of analyzed data but instead focused on extracting a small set of high-signal information. For example, the system checks whether a value assigned to a variable is subsequently passed into API requests, authentication headers, database clients, or cloud SDK calls. Research found that most false positives can be resolved using only focused file-level context, while passing entire files or repositories introduces excessive noise and increases cost and latency. This strategy of "better context" rather than "more context" enables the system to more effectively differentiate real secrets from test data or placeholders.

Table showing that 'more context' such as entire files/repositories and high noise is not superior to 'better context' usage signals and execution paths. This provides focused input.

This methodology is built directly on top of GitHub's existing secret scanning system, enhancing the contextual awareness of the verification step without altering upstream detection logic or reducing coverage. GitHub's secret scanning originally combined pattern-based detection with AI-driven universal secret detection, covering billions of pushes across millions of repositories from tens of millions of developers. This collaboration aims to elevate the precision of AI-detected secrets to the same high standard as provider pattern detection.

Based on 1,500 customer-confirmed false positive alerts, false positive reduction reached 75.76%.

This improvement is directly reflected in the developer experience. Fewer irrelevant alerts allow developers to prioritize and fix real issues more quickly. Currently, GitHub continues to evaluate this methodology on larger datasets and real-time traffic, further optimizing the context extraction and verification process.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com