GitHub has announced that it will enable push protection for all users by default for everyone public repositories to help reduce accidental information leaks.
With push protections in place, GitHub will scan every 'git push' to a public repository to confirm that there are no API keystokens and other secrets that could be exposed as a result.
GitHub tried push protection in April 2022 and the system has been in public beta since then, and the company will make the secret scanning feature generally available in May 2023.
in a blog entry In announcing the change, GitHub said its secret scanning tool “protects over 200 token types and patterns from over 180 service providers.”
With secret scan submission protection enabled by default, if a secret is detected in a submission to a public repository, users will be able to remove it from commits or ignore the warning and bypass the block altogether.
Users can also choose to disable the feature entirely, although GitHub does not recommend this.
GitHub said it could take about a week for the changes to apply to all accounts, but users can check their status and opt-in early by going into their code's security and analytics settings.
GitHub deals with “more than a dozen accidental leaks every minute”
GitHub's Eric Tooley and Courtney Claessens explained that the inadvertent leak of API keys, tokens, private keys, and credentials remains a widespread problem and has previously led to serious security breaches, reputational damage, and legal issues.
“In just the first eight weeks of 2024, GitHub has detected more than 1 million leaked secrets in public repositories. “That’s more than a dozen accidental leaks per minute.”
Demand for a tool to strengthen submission protections is high, according to the company, which reported that since it rolled out the feature to its Advanced Security customers, more than 95% of users choose to scan submissions to private repositories.
When it introduced the secret scanning feature in April 2022, GitHub saying Detected more than 200,000 secrets in thousands of private repositories using the tool.
Now, GitHub is looking to do the same with open source code as well as secure public repositories.
Vulnerabilities in open source code have increased significantly, according to a new investigation from the EDA specialists Synopsys.
The Synopsys report revealed that almost three-quarters of all code bases assessed in 2023 contained high-risk open source vulnerabilities, up 54% from the previous year.
The US National Institute of Standards and Technology (NIST) recognized the threat that exists in the software supply chain with new guide on how organizations can protect themselves.
The new guidance stated that security teams should approve merging unverified sources of open source software and that developers should try to download open source code as source code rather than precompiled libraries.
GitHub itself has had problems with accidental leaks in the past. In March 2023, the development platform was forced to make changes to its terminal code and replace its RSA SSH host key after it was inadvertently exposed.