Microsoft: Our CredScan stops GitHub gaffes from revealing Azure secrets

Microsoft's Credential Scanner will flag when developers publish secrets that put their applications at risk.
Written by Liam Tung, Contributing Writer

Video: Microsoft's Azure boosts security with 'confidential computing' service

Microsoft has released a public preview of security to help Azure developers avoid posting private keys and other security secrets in public repositories on GitHub.

Developers have been caught on numerous occasions committing this security blunder, potentially giving access to online storage and application databases. A researcher last year also published a tool for sniffing out secret keys called TruggleHog, which could make it easier for attackers to find these secrets.

According to Microsoft, customers who expose passwords, private keys, database connection strings, and storage account keys managed in Azure are putting their applications and services at "significant risk".

An attacker could use the details to compromise an Azure subscription and lump developers with unwanted bills, or steal and modify assets stored in the cloud or on-premise.

To prevent this situation from happening, Azure runs CredScan to monitor all incoming commits on GitHub. It also "checks for specific Azure tenant secrets such as Azure subscription management certificates and Azure SQL connection strings", Microsoft said.


Microsoft Azure runs CredScan to monitor all incoming commits on GitHub for passwords, private keys, database connection strings, and storage-account keys.

Image: Philip Meier, Getty Images

Microsoft has been using CredScan to protect Azure and its own services and applications. The scan currently doesn't check for all secrets, but Microsoft is planning on adding more types of data to the scanning service.

Free download: IT leader's guide to reducing insider security threats

The service is automatically enabled for Azure subscription owners who will be notified in an email from Microsoft's Cyber Defense Operation Center (CDOC) if CredScan detects an exposed secret.

The email details which commits have been flagged, affected subscriptions and assets, the secret type and advice how to fix the problem.

Microsoft advises that anyone who receives a notification should check past commits and commit history to ensure they don't also contain exposed credentials.

Microsoft says it's already notified thousands of customers since introducing the scan, so clearly the error is not uncommon.

And the company reminds Azure developers that merely removing a published secret won't fix the problem since the secret could have already been nabbed. Hence, they should revoke the key or credential to resolve the issue.

Microsoft is also developing a tool called CredScan Code Analyzer, which detects potential secrets in code and encourages developers to move them to secure locations.

Previous and related coverage

Azure confidential computing: Microsoft boosts security for cloud data

Microsoft is rolling out new secure enclave technology for protecting data in use.

Microsoft's new open source tool can scan your website for security and performance headaches

Microsoft's Sonar checks accessibility, interoperability, performance, Progressive Web Apps, and security.

Microsoft to update office in HQ redesign(CNET)

The renovation of its headquarters in Redmond, Washington, will take up to seven years to complete.

Azure Event Grid helps developers build event-based and serverless apps in the cloud(TechRepublic)

Microsoft recently brought the service into general availability, making it easier to react to Azure native events and build modern apps.

Editorial standards