GitHub has announced it is enabling push protection for all users by default for all public repositories to help reduce accidental information leaks.
With push protections in place, GitHub will scan each ‘git push’ to a public repository to confirm there are no API keys, tokens, and other secrets that could be exposed as a result.
GitHub trialed push protection in April 2022 and the system has been in public beta since, with the firm making the secret scanning feature generally available in May 2023.
In a blog post announcing the change, GitHub said its secret scanning tool “guards over 200 token types and patterns from more than 180 service providers”.
With secret scanning push protection turned on by default, if a secret is detected in a push to a public repository, users will be able to remove it from commits, or ignore the warning and circumvent the block altogether.
Users can also choose to disable the feature entirely, although this is not recommended by GitHub.
GitHub said it might take a week or so for the changes to apply to all accounts, but users can verify their status and choose to opt-in early by going into their code security and analysis settings
GitHub deals with “more than a dozen accidental leaks every minute”
Eric Tooley and Courtney Claessens at GitHub explained inadvertent leaking of API keys, tokens, private keys, and credentials remains a pervasive issue, and one that has previously led to serious security breaches, reputational damage, and legal trouble.
“In just the first eight weeks of 2024, GitHub has detected over 1 million leaked secrets on public repositories. That’s more than a dozen accidental leaks every minute.”
RELATED WHITEPAPER
Demand for a tool to bolster protections on pushes is high, according to the firm, which reported that since rolling the feature out to its Advanced Security customers, more than 95% of users choose to scan pushes to private repositories.
When it introduced the secret scanning feature in April 2022, GitHub said it detected over 200,000 secrets across thousands of private repositories using the tool.
Now, GitHub is looking to do the same for open source code and secure public repositories too.
Vulnerabilities in open source code have increased significantly, according to new research from EDA specialists Synopsys.
Synopsys’ report revealed almost three quarters of all codebases assessed in 2023 were found to contain high-risk open source vulnerabilities, up 54% compared to the previous year.
The US National Institute of Standards and Technology (NIST) recognized the threat that exists in the software supply chain with new guidance on how organizations can protect themselves.
The new guidance stated that security teams should approve the merging of unverified sources of open source software, and that devs should try to download open source code as source code instead of pre-compiled libraries.
GitHub itself has struggled with accidental leaks in the past. In March 2023, the developer platform was forced to make changes to its terminal code and replace its RSA SSH host key after it was inadvertently exposed.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
GitHub is scrapping some Claude, OpenAI, and Gemini models in Copilot – here's what you need to know and what alternatives are availableNews GitHub Copilot users are urged to switch to the newer models following the retirement cut-off
-
UK government programmers trialed AI coding assistants from Microsoft, GitHub, and Google – here's what they foundNews Developers participating in a trial of AI coding tools from Google, Microsoft, and GitHub reported big time savings, with 58% saying they now couldn't work without them.
-
GitHub just launched a new 'mission control center' for developers to delegate tasks to AI coding agentsNews The new pop-up tool from GitHub means developers need not "break their flow" to hand tasks to AI agents
-
What Thomas Dohmke’s departure means for GitHubNews Thomas Dohmke won't be replaced as CEO at GitHub, with remaining company execs reporting directly to Microsoft's CoreAI division.
-
GitHub CEO Thomas Dohmke thinks there’s still a place for junior developers in the age of AINews GitHub CEO Thomas Dohmke believes junior developers still play a crucial role in the hierarchy of software development teams, and AI won't change that any time soon.
-
‘Made the Pro plan worse’: GitHub just announced new pricing changes for its Copilot service – and developers aren’t happyNews GitHub has announced new pricing changes for its AI Copilot service in a move that's sparked backlash among developers.
-
GitHub just unveiled a new AI coding agent for Copilot – and it’s available nowNews GitHub has unveiled the launch of a new AI coding agent for its Copilot service.
-
‘Developers will need to adapt’: Microsoft CEO Satya Nadella joins Google’s Sundar Pichai in revealing the scale of AI-generated code at the tech giants – and it’s a stark warning for software developersNews Microsoft CEO Satya Nadella is the latest big tech figure to reveal the scale of AI-generated code at the tech giant, prompting more questions about the future of software development.
