GitHub has announced it is enabling push protection for all users by default for all public repositories to help reduce accidental information leaks.
With push protections in place, GitHub will scan each ‘git push’ to a public repository to confirm there are no API keys, tokens, and other secrets that could be exposed as a result.
GitHub trialed push protection in April 2022 and the system has been in public beta since, with the firm making the secret scanning feature generally available in May 2023.
In a blog post announcing the change, GitHub said its secret scanning tool “guards over 200 token types and patterns from more than 180 service providers”.
With secret scanning push protection turned on by default, if a secret is detected in a push to a public repository, users will be able to remove it from commits, or ignore the warning and circumvent the block altogether.
Users can also choose to disable the feature entirely, although this is not recommended by GitHub.
GitHub said it might take a week or so for the changes to apply to all accounts, but users can verify their status and choose to opt-in early by going into their code security and analysis settings
GitHub deals with “more than a dozen accidental leaks every minute”
Eric Tooley and Courtney Claessens at GitHub explained inadvertent leaking of API keys, tokens, private keys, and credentials remains a pervasive issue, and one that has previously led to serious security breaches, reputational damage, and legal trouble.
“In just the first eight weeks of 2024, GitHub has detected over 1 million leaked secrets on public repositories. That’s more than a dozen accidental leaks every minute.”
RELATED WHITEPAPER
Demand for a tool to bolster protections on pushes is high, according to the firm, which reported that since rolling the feature out to its Advanced Security customers, more than 95% of users choose to scan pushes to private repositories.
When it introduced the secret scanning feature in April 2022, GitHub said it detected over 200,000 secrets across thousands of private repositories using the tool.
Now, GitHub is looking to do the same for open source code and secure public repositories too.
Vulnerabilities in open source code have increased significantly, according to new research from EDA specialists Synopsys.
Synopsys’ report revealed almost three quarters of all codebases assessed in 2023 were found to contain high-risk open source vulnerabilities, up 54% compared to the previous year.
The US National Institute of Standards and Technology (NIST) recognized the threat that exists in the software supply chain with new guidance on how organizations can protect themselves.
The new guidance stated that security teams should approve the merging of unverified sources of open source software, and that devs should try to download open source code as source code instead of pre-compiled libraries.
GitHub itself has struggled with accidental leaks in the past. In March 2023, the developer platform was forced to make changes to its terminal code and replace its RSA SSH host key after it was inadvertently exposed.
-
The Scattered Spider hacker group has a new industry in its crosshairsNews The notorious Scattered Spider threat group is now turning its attention to the airline industry, with attacks on operators intensifying.
-
HPE forced to offload Instant On networking division and license Juniper’s AI Ops source code in DOJ settlementNews HPE will be required to make concessions to push the deal through, including divesting its ‘Instant On’ wireless networking division within 180 days.
-
‘Made the Pro plan worse’: GitHub just announced new pricing changes for its Copilot service – and developers aren’t happyNews GitHub has announced new pricing changes for its AI Copilot service in a move that's sparked backlash among developers.
-
GitHub just unveiled a new AI coding agent for Copilot – and it’s available nowNews GitHub has unveiled the launch of a new AI coding agent for its Copilot service.
-
‘Developers will need to adapt’: Microsoft CEO Satya Nadella joins Google’s Sundar Pichai in revealing the scale of AI-generated code at the tech giants – and it’s a stark warning for software developersNews Microsoft CEO Satya Nadella is the latest big tech figure to reveal the scale of AI-generated code at the tech giant, prompting more questions about the future of software development.
-
Turns out AI isn't that popular at work – just 4% of workers use the technology in the majority of daily tasks, but developers are among the top early adoptersNews Research from Anthropic shows that while AI adoption is sluggish in most professions, software developers and writers are very keen.
-
GitHub's new 'Agent Mode' feature lets AI take the reins for developersNews GitHub has unveiled the launch of 'Agent Mode' - a new agentic AI feature aimed at automating developer activities.
-
GitHub just launched a new free tier for its Copilot coding assistant – but only for a select group of developersNews Limited access to GitHub Copilot in VS Code is now available free of charge
-
Are ‘ghost engineers’ stunting productivity in software development? Researchers claim nearly 10% of engineers do "virtually nothing" and are a drain on enterprisesNews The study used an algorithm to assess the amount of work being done by software engineers at hundreds of firms
-
GitHub says Copilot improves code quality – but are AI coding tools actually producing results for developers?News Questions over the true impact AI coding tools continue to linger
