Microsoft’s Git-based open source Internet hosting service for software developers is expanding its offerings scan secret partner program. Until now, this service was only available to GitHub Advanced Security users. With this advance it will be freely accessible to all public repositories.
The program, which scans repositories for more than 200 token formats, allows developers to track disclosed secrets in their public GitHub repository. This year, with more than 94 million developers in its repositories, the program discovered more than 1.7 million potential secrets.
In a bloggingGitHub said that exposed secrets and credentials, the most common cause of data breaches, remain on average for 327 days before being identified.
Mariam Sulakian, GitHub product manager, explained that GitHub always scans all public repositories for secrets and sends default detections to its partners.
“Now our customers can also enable a secret scanning experience in the product to track the recovery of any exposures in their public repositories,” she said. “Users can view alerts for detected secrets in a repository’s security tab. Each alert contains information about the compromised secret, including suggested remediation steps, its location, and a timeline of actions taken in response to the alert.
She added that every day GitHub detects more than 4,500 potential secrets leaked into public repositories and sends detections to its more than 100 service provider partners.
“Now we’re also bringing those findings up so users can track exposures in their own repositories,” she said.
TO SEE: Rental package: Python developer (Tech Republic Premium)
According to Sulakian, leaks can occur in several ways:
- Secrets can leak out accidentally, for example if a developer uses their credentials for a quick test to debug and then forgets to remove those credentials before committing and pushing their code.
- Secrets can also be left in the git commit history. Let’s say an admin “fixes” leaks and removes the secret from the main branch, but they don’t clean up the entire git history.
- Secrets can leak intentionally. “Imagine a student or novice developer leaving their secret in their source code, unaware of the potential impact of a leak,” she said.
Secret scanning for free on all public repos
Currently, GitHub is working with service providers to flag leaked credentials on all public repos through its secret scan partner program. The new release gives open source developers free access to the alerts about leaked secrets in code, enabling them to identify the source of the leak, easily track alerts, and take action (Image A).
GitHub launched the secret scan for public repositories as a beta this month. Users must activate it within the platform’s security settings, but the service’s rollout will be progressive with full availability to all users by the end of January 2023.
Push protection for custom patterns
GitHub introduced push protection for GitHub Advanced Security customers in April 2022 to proactively prevent leaks by scanning for secrets before they are captured. Since then, Sulakian and Malik wrote againhas the feature prevented over 8,000 secret leaks across 100 secret types (Figure B).
According to GitHub, organizations that have defined custom patterns can now enable push protection for those patterns. They explained that push protection for custom patterns can be configured on a per-pattern basis.
“Just as you can already choose which patterns to publish (and which to refine first in draft mode), you can decide which patterns to protect based on false positives,” the company said.
TO SEE: Open source code for commercial software applications is ubiquitous, but so is the risk (TechRepublic)
With the new feature, GitHub Advanced Security provides organizations with additional coverage for what are often their most important secret patterns—the patterns that have been customized and defined internally for their organizations.
The new program allows service providers to work with GitHub to secure their secret token formats through scanning, which looks for accidental commits of secret formats. It can then be sent to a service provider’s authentication endpoint.
How secrets and tokens work in GitHub
In GitHub, “secrets” allow developers to verify their workflow run. When a developer uses a GitHub project, GitHub automatically creates a unique GITHUB_TOKEN “secret”, which gives the developer access to GitHub apps installed in the developer’s repository. The GITHUB_TOKEN expires when a job is completed or after a maximum of 24 hours. If a GitHub project communicates with an external service, the owner can use a token or private key for authentication.
Both tokens and private keys are secrets that a service provider can issue. If a user checks in a secret to a repository, anyone who has read access to the repository can use the secret to access the remote service with the user’s privileges. GitHub recommends that users store secrets in a special, secure location outside of their project’s repository.
Sulakian explained that a GitHub project can connect to countless external services – and most of them connect to one or several.
“For example, developers can use Slack tokens to create bots that help automate processes,” she said. “If leaked, these tokens could allow an unauthorized user to access the Slack app associated with the token. We strive to protect all services that developers and teams interact with, and we always welcome more partners to help secure our mutual users.”
Interested in taking the next step toward coding understanding for game development? Checking out The ultimate training to learn how to code.