Register now for better personalized quote!

GitHub now scans for secret leaks in developer workflows

Apr, 05, 2022 Hi-network.com

GitHub has introduced a new scanning feature for protecting developers from accidental secret leaks.

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

On April 4, the Microsoft-owned code repository said the GitHub Advanced Security suite has now been upgraded with a new push protection feature to prevent the leak of secrets that could compromise organization-owned projects.

GitHub Advanced Security is a licensed business product including code scanning, supply chain attack protection, and Dependabot alerts.

The new feature is an optional check for developers to use during their workflows before a git push is accepted. As of now, the scan will only check for "highly identifiable patterns" of potential leaks based on the collaborative efforts of GitHub and partner organizations, including token issuers.

There are 69 patterns in total that the tool will check for as potential indicators of secret leaks. In addition, over 100 different token types are checked.

These include those issued by Alibaba Cloud, Amazon, AWS, Azure, npm, Slack, and Stripe.

GitHub says that over 700,000 secrets across thousands of private repositories have been detected to date.

If push protection is enabled, a scan will check for high-confidence leak patterns. If a pattern flags up, the push is blocked. According to the company, there has been a low false-positive rate during testing.

"If a secret is identified, developers can review and remove the secrets from their code before pushing again," GitHub explained. "In rare cases where immediate remediation doesn't make sense, developers can move forward by resolving the secret as a false positive, test case, or real instance to fix later."

Open security alert cases are automatically generated if instances are selected as issues to be resolved after a push.

The new feature can be enabled in the suite's user interface or via the API.

"By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether," GitHub commented. 

Previous and related coverage

  • Chinese hackers Deep Panda return with Log4Shell exploits, new Fire Chili rootkit
  • The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities
  • Meet BlackGuard: a new infostealer peddled on Russian hacker forums

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.