This article is more than 1 year old
GitHub tackles leaks by scanning for secrets in pushed code
Repo updates inspected for security blunders before some git can exploit them
GitHub is aiming to help users avoid inadvertent leaks of confidential objects like access tokens by scanning repository content for such secrets before a git push is allowed to complete.
The secret scanning capability is already a feature of GitHub Advanced Security, which is enabled for all public repositories on GitHub.com and an option for GitHub Enterprise users.
With this turned on, it scans repositories for secrets – passwords, encryption keys and authorization tokens – that may have been included by developers accidentally. It can also detect those issued by various service provider partners such as Azure or Adobe.
Now, GitHub said that secret scanning's new push protection capability embeds secret scanning proactively into the developer workflow itself. But, to avoid disrupting developer productivity too much, this push protection only supports token types that can be detected accurately.
To this end, GitHub changed the format of its own secrets last year, and has been working with those service provider partners to push for them to implement patterns that can be more reliably identified. The new push protection capability is starting off with support for 69 such high confidence patterns, the firm said.
With this protection enabled, GitHub will check for high-confidence secrets as developers push code, and block the push if the scan appears to uncover a secret.
Developers can review the results and remove the secrets from their code before pushing again, or else can choose to flag the secret as a false positive, a test case, or real instance to be fixed later.
- GitLab issues critical update after hard-coding passwords into accounts
- Zlib crash-an-app bug finally squashed, 17 years later
- Dev rigs up receipt printer to spit out GitHub issues
- PlanetScale offers undo button to reverse schema migration without losing data
However, if secret scanning push protection is bypassed in this way, GitHub will generate a closed security alert in the case of secrets identified as test cases or false positives. For secrets flagged "to resolve" later, GitHub will generate an open security alert for both the developer and the repository administrator, to allow them to work together on a fix.
In a post announcing the new capability, GitHub said it has already detected more than 700,000 secrets across thousands of private repositories through secret scanning for GitHub Advanced Security.
Organizations with GitHub Advanced Security can enable secret scanning’s new push protection capability at the repository and organization levels via the API or by clicking a button in the UI, the firm said.
Not all new features go down well: last month, GitHub was inundated with complaints after it introduced a social media-style algorithmic feed with suggestions for developers to look at. This prompted a promise from GitHub that it would introduce a setting to allow users to opt out of the distracting feature. ®