GitHub logo on the screen smartphone and notebook closeup.
Image: prima91/Adobe Stock

Microsoft’s Git-based open source Internet hosting service for software developers is expanding its secret scanning partner program. Hitherto, this service was available only to GitHub Advanced Security users. With this advance, it will be open to all public repositories for free.

The program, scanning repositories for over 200 token formats, allows developers to track any publicly exposed secrets in their public GitHub repository. This year, with over 94 million developers across its repositories, the program found over 1.7 million potential secrets exposed.

In a blog, GitHub said exposed secrets and credentials, the most common cause of data breaches, have a dwell time of 327 days on average before they are identified.

Mariam Sulakian, GitHub product manager explained that GitHub always scans all public repositories for secrets and sends detections to its partners by default.

“Now, our customers can also enable an in-product secret scanning experience to track remediation for any exposures in their public repositories,” she said. “Users can view alerts for detected secrets in a repository’s security tab. Each alert will contain information about the compromised secret, including suggested remediation steps, its location, and a timeline of actions taken on the alert.”

She added that GitHub detects over 4,500 potential secrets leaked in public repositories every day and sends detections to its 100+ service provider partners.

“Now, we also surface those findings for users to track exposures in their own repositories,” she said.

SEE: Hiring kit: Python developer (TechRepublic Premium)

Leaks can happen in a number of ways, according to Sulakian: 

  • Secrets can leak on accident, e.g. if a developer uses their credentials for a quick test to debug and then forgets to remove those credentials before committing and pushing their code. 
  • Secrets can also be left in git commit history. Suppose an admin is “remediating” leaks and removes the secret from the main branch but they don’t scrub the entire git history. 
  • Secrets can leak intentionally. “Imagine that a student or novice developer leaves their secret in their source code, unaware of a leak’s potential impact,” she said.

Secret scanning free on all public repos

Currently GitHub partners with service providers to flag leaked credentials on all public repos through its secret scanning partner program. The new release gives open source developers free access to the alerts about leaked secrets in code — enabling them to identify the leak’s source, easily track alerts and take action (Figure A).

Figure A

How to activate secret scanning for a project in GitHub.
Image: GitHub. How to activate secret scanning for a project in GitHub.

GitHub launched the secret scanning for public repositories as a beta this month. Users have to activate it within the platform’s security settings, but the rollout of the service is going to be progressive with full availability to all users by the end of January 2023.

Push protection for custom patterns

GitHub introduced push protection to GitHub Advanced Security customers in April 2022 to proactively prevent leaks by scanning for secrets before they are committed. Since then, Sulakian and Malik wrote again, the feature has prevented more than 8,000 secret leaks across 100 secret types (Figure B).

Figure B

Screen capture of security analysis and alert activation feature on GitHub.
Image: GitHub. Screen capture of security analysis and alert activation feature on GitHub.

Now, according to GitHub, organizations that have defined custom patterns can enable push protection for those patterns. They explained that push protection for custom patterns can be configured on a pattern-by-pattern basis.

“Just like how you can already choose which patterns to publish (and which to first refine in draft mode), you can decide which patterns to push protect, based on false positives,” said the company.

SEE: Open source code for commercial software applications is ubiquitous, but so is the risk (TechRepublic)

With the new feature, organizations with GitHub Advanced Security have additional coverage for what are often their most important secret patterns — the ones customized and defined internally to their organizations.

The new program lets service providers partner with GitHub to have their secret token formats secured through scanning, which searches for accidental commits of secret formats. It can then be sent to a service provider’s verify endpoint.

How secrets and tokens work in GitHub

In GitHub, “secrets” allow developers to authenticate their workflow run. When a developer starts a GitHub Project, GitHub automatically creates a unique GITHUB_TOKEN “secret,” which allows the developer access to GitHub Apps that are installed on the dev’s repository. The GITHUB_TOKEN expires when a job finishes or after a maximum of 24 hours. If a GitHub project communicates with an external service, the owner might use a token or private key for authentication.

Both tokens and private keys are secrets that a service provider can issue. If a user checks a secret into a repository, anyone who has read access to the repository can use the secret to access the external service with the user’s privileges. GitHub recommends that users store secrets in a dedicated, secure location outside of the repository for their project.

Sulakian explained that a GitHub project can connect to countless external services—and most do connect to one or several.

“Developers might, for example, use Slack tokens to create bots that help automate processes,” she said. “If leaked, these tokens can give an unauthorized user access to the Slack app associated with the token. We aim to protect all the services that developers and teams interact with, and we always welcome more partners to help secure our mutual users.”

 

Interested in taking the next step toward coding comprehension for game development? Check out The Ultimate Learn to Code Training.