Skip to content
Go to GoCardless homepage
LoginSign up

How we use Github Token Scanning to check for API key exposure

By Greg Smith, Lisa Karlin CurtisNov 20191 min read

As part of our on-going commitment to improve the security of our service and that of our customers we have implemented access token scanning across GitHub to check for API key exposure.

What does that mean for me?

During development, secrets such as API keys are necessary to connect through to services and authenticate. Managing these keys can be challenging – keeping them out of source code and keeping control over them often leads to turtles all the way down in storing these.

Using our partnership with Github for “Token Scanning”, we have added checks that mean if a GoCardless access token is checked into Github, we can take action to secure your account and protect you and your customers from fraud and data exposure.

We are really pleased to be an early adopter of this feature which is already delivering value.

What does GoCardless do? 

When an access token is detected in Github, we utilise a webhook to trigger a workflow to validate the access token. When this happens, we automatically notify you to advise of a potential breach.

These checks provide an extra safety check to protect you and your customers from a potential security breach. It is one of the ways that we are applying privacy and security by design across our products. We already extensively use Dependabot (which was recently acquired by Github and started as a project at GoCardless) that we use to keep our third party dependencies up to date in our libraries and internal projects.

Our security team will investigate to understand why the access token ended up in GitHub and what else we can do to better support our integrators.

Visit our FAQs to find out more about how we approach security at GoCardless.

GoCardless is used by over 55,000 businesses around the world. Learn more about how you can improve payment processing at your business today.

Learn moreSign Up

Interested in automating the way you get paid? GoCardless can help

Contact sales

Contact Us


Contact sales

+44 20 8338 9539


Request support

+44 20 8338 9540

Seen 'GoCardless Ltd' on your bank statement? Learn more

GoCardless Ltd., Sutton Yard, 65 Goswell Road, London, EC1V 7EN, United Kingdom

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services. GoCardless SAS (23-25 Avenue Mac-Mahon, Paris, 75017, France), an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.