// Rubber Duck Thursdays - Sshh, let's talk about secrets.

This episode focuses on why secrets should never exist in source code and how GitHub’s newly unbundled security products help prevent and detect secret leaks.

After the weekly GitHub Changelog review — covering the new GPT-4o Copilot completions model, repository ownership limits, GitHub Desktop updates, Copilot mobile multi-model support, and GitHub Issues dashboard improvements — Chris dives into the headline topic: GitHub Advanced Security splitting into two standalone products, Secret Protection ($19/month) and Code Security ($30/month), now available for GitHub Team plans without requiring Enterprise.

The stream includes live demos of the secret risk assessment report, secret scanning alerts with partner validation, push protection blocking leaked tokens before they reach the remote repository, delegated bypass controls for organizations, and custom patterns using regex and AI generation to detect things like credit card numbers or internal email addresses. Chris discusses best practices around git ignore files, why rewriting history isn’t a reliable fix, and the importance of proactive security tooling integrated into the development lifecycle.

The episode wraps with a quick look at the GitHub-themed brick breaker game walkthrough, including a new feature that loads a user’s real GitHub contribution graph as the game board, where darker squares are harder to break.