GitHub now scans for secret leaks in developer workflows

The new tool aims to protect developers against API and token exposure.
Written by Charlie Osborne, Contributing Writer

GitHub has introduced a new scanning feature for protecting developers from accidental secret leaks.

On April 4, the Microsoft-owned code repository said the GitHub Advanced Security suite has now been upgraded with a new push protection feature to prevent the leak of secrets that could compromise organization-owned projects.

GitHub Advanced Security is a licensed business product including code scanning, supply chain attack protection, and Dependabot alerts.

The new feature is an optional check for developers to use during their workflows before a git push is accepted. As of now, the scan will only check for "highly identifiable patterns" of potential leaks based on the collaborative efforts of GitHub and partner organizations, including token issuers.

There are 69 patterns in total that the tool will check for as potential indicators of secret leaks. In addition, over 100 different token types are checked.

These include those issued by Alibaba Cloud, Amazon, AWS, Azure, npm, Slack, and Stripe.

GitHub says that over 700,000 secrets across thousands of private repositories have been detected to date.

If push protection is enabled, a scan will check for high-confidence leak patterns. If a pattern flags up, the push is blocked. According to the company, there has been a low false-positive rate during testing.

"If a secret is identified, developers can review and remove the secrets from their code before pushing again," GitHub explained. "In rare cases where immediate remediation doesn't make sense, developers can move forward by resolving the secret as a false positive, test case, or real instance to fix later."

Open security alert cases are automatically generated if instances are selected as issues to be resolved after a push.

The new feature can be enabled in the suite's user interface or via the API.

"By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether," GitHub commented. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards