GitHub Launches Token Scanning for CloudBees CodeShip's AES Key

Written by: Ethan Jones
2 min read
Stay connected

It’s not often that we take to our blog to announce someone else’s new feature - but in this case, it’s pretty cool and we’re glad to do so.

GitHub launched a feature called token scanning not too long ago. With token scanning, they look through your repo on every commit for anything that matches regular expressions provided to them by trusted vendors to help highlight keys and tokens that should never be committed.

We think this is an awesome way to keep secrets out of your repo, and we jumped at the chance to have our own CloudBees CodeShip Pro encryption key included.

Scanning for CodeShip.aes

On CloudBees CodeShip Pro, you use the Jet CLI to encrypt your environment variables and Docker build arguments using a unique AES key created per-project (and reset whenever you need.)

This AES key is never intended to be committed to your repo - and now, if it is inadvertently committed, you’ll be notified by GitHub and can cycle the key right away!

This is both a minor deal and a major deal. Minor, because you don’t have to do anything different, and major because GitHub will help you catch any security slip in this regard immediately.


You don’t need to do anything to set this up, we partnered with GitHub to get it configured and it’s just another way we’ve worked (along with GitHub) to keep your CI/CD process safe and secure.

If you have any questions, just let us know.

Additional resources

Stay up to date

We'll never share your email address and you can opt out at any time, we promise.