GitHub has announced it is enabling push protection for all users by default for all public repositories to help reduce accidental information leaks.
With push protections in place, GitHub will scan each ‘git push’ to a public repository to confirm there are no API keys, tokens, and other secrets that could be exposed as a result.
GitHub trialed push protection in April 2022 and the system has been in public beta since, with the firm making the secret scanning feature generally available in May 2023.
In a blog post announcing the change, GitHub said its secret scanning tool “guards over 200 token types and patterns from more than 180 service providers”.
With secret scanning push protection turned on by default, if a secret is detected in a push to a public repository, users will be able to remove it from commits, or ignore the warning and circumvent the block altogether.
Users can also choose to disable the feature entirely, although this is not recommended by GitHub.
GitHub said it might take a week or so for the changes to apply to all accounts, but users can verify their status and choose to opt-in early by going into their code security and analysis settings
GitHub deals with “more than a dozen accidental leaks every minute”
Eric Tooley and Courtney Claessens at GitHub explained inadvertent leaking of API keys, tokens, private keys, and credentials remains a pervasive issue, and one that has previously led to serious security breaches, reputational damage, and legal trouble.
“In just the first eight weeks of 2024, GitHub has detected over 1 million leaked secrets on public repositories. That’s more than a dozen accidental leaks every minute.”
Demand for a tool to bolster protections on pushes is high, according to the firm, which reported that since rolling the feature out to its Advanced Security customers, more than 95% of users choose to scan pushes to private repositories.
When it introduced the secret scanning feature in April 2022, GitHub said it detected over 200,000 secrets across thousands of private repositories using the tool.
Now, GitHub is looking to do the same for open source code and secure public repositories too.
Vulnerabilities in open source code have increased significantly, according to new research from EDA specialists Synopsys.
Synopsys’ report revealed almost three quarters of all codebases assessed in 2023 were found to contain high-risk open source vulnerabilities, up 54% compared to the previous year.
The US National Institute of Standards and Technology (NIST) recognized the threat that exists in the software supply chain with new guidance on how organizations can protect themselves.
The new guidance stated that security teams should approve the merging of unverified sources of open source software, and that devs should try to download open source code as source code instead of pre-compiled libraries.
GitHub itself has struggled with accidental leaks in the past. In March 2023, the developer platform was forced to make changes to its terminal code and replace its RSA SSH host key after it was inadvertently exposed.
