Application security, Security Architecture

GitHub Advanced Security now scans for secrets with each push

Researchers at Checkmarx reported a “high-severity” vulnerability in GitHub that could have let an attacker take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. (“GitHub Office” by DASPRiD is marked with CC BY 2.0.”)

GitHub announced Monday that, as part of its Advanced Security offering, it would scan for private token information every time a user pushes code, proactively preventing tokens from being leaked.

Push protection includes 69 different token types, but not all of the tokens available for the automated "secret scans" of published code. Since the new feature is, by design, meant to place protection in the middle of a project workflow, GitHub prioritized scans that produced the highest signal-to-noise ratio.

"GitHub secret scanning’s new push protection capability embeds secret scanning in the developer workflow. To make this possible without disrupting development productivity, push protection only supports token types that can be detected accurately," the company wrote in a blog post.

GitHub's list of tokens for push protection includes most of the notable names from its secret scanning program, with notable omissions incuding Facebook and several types of Google tokens.

Accidental leaking of private information in GitHub repositories causes real-world problems. SolarWinds reported that an intern left a password exposed in a repository before their breach. A 2019 study found that more than 100,000 repositories had exposed tokens or cryptographic keys. Malicious hackers could easily find these by searching for common token types and variable names used for tokens.

GitHub has made an effort to crack down on these kinds of exposures through "secret scans," which look at code that has already been published. For enterprise users, that includes a massive list of token patterns that GitHub will notify the enterprise about. For all users, GitHub will scan for a smaller list of patterns from industry partners, including Facebook, and alert the partner about exposure.The partner can then choose whether to revoke the token.

A year ago GitHub changed its own tokens to be easier to identify in code.

The new proactive push scans are not on by default.

"By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether," the company wrote.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.