News

GitHub will scan certain commits for tokens and private keys before publishing

By admin
Spread the love

GitHub will scan commits from certain organizations for secrets such as tokens and private keys before publishing. Now that scanning only takes place afterwards, when the secrets can already be seen by malicious parties. The proactive scanner looks at 69 common secrets.

If developers push code that reveals a known secret, then a warning appears on the screen. Developers can then modify the code and extract the secret. Users can also choose to push the code after all, for example if it concerns test code or a false positive.

GitHub scans for 69 different types of secrets provided by partners and other organizations. For example, it scans for session tokens and secret access keys from AWS, Cloud Access Keys from Alibaba Cloud, and Cloud Storage Access Keys from Google.

Secrets are, for example, authentication tokens or access keys for external services, but they can also be internally used passwords. GitHub recommends developers store those secrets outside of the GitHub repos. If developers store them within public GitHub repos, these secrets can be viewed and exploited by others.

The proactive secret scanner is only available for companies that enjoy the paid GitHub Advanced Securityuse the program. These organizations must also enable the proactive secret scanner themselves. Advanced Security also includes a scanner that can scan code after publication for both the presence of secrets and vulnerabilities.

You might also like
News

EU Council determines position on security requirements for digital products

News

Microsoft and Activision Blizzard postpone acquisition deadline until October

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

‘Microsoft wants to postpone deadline for Activision Blizzard…

News

Sony and Microsoft sign agreement to keep Call of Duty on PlayStation

News

Xbox Community CEO Larry ‘Major Nelson’ Hryb is leaving Microsoft after…