GitHub's secret scanning now uses LLM-based contextual verification to cut false positives by 75.76%, beating its own 65% target. The work is a collaboration between GitHub and Microsoft Security and AI's Agents Offense team, applying techniques from a system called Agentic Secret Finder. The improvement targets AI-powered generic secret detection, the newer layer that catches unstructured secrets like passwords that don't match known provider patterns.
The technical decision worth understanding here is not the LLM itself but what gets fed into it. Rather than passing entire files or repositories, the system extracts focused usage signals: how a candidate value is assigned, and whether it flows into an API request, authentication header, database client, or cloud SDK call. This distinction between more context and better context is the core argument of the piece, and the authors make it with specificity.
The approach was evaluated on hundreds of customer-confirmed false positive alerts, with the 75.76% reduction achieved while maintaining detection coverage. No upstream detection logic was changed. The full article details where this fits inside GitHub's existing pipeline and how the verification step was extended without adding latency at scale, which is the part most engineers will want to read closely.
[READ ORIGINAL →]