GitHub announced that it enables push protection for all users by default for all public repositories to reduce accidental information leakage.
With push protection set up, GitHub will scan every ‘git push‘ to the public repository to confirm that there is not API keystokens and other secrets that might be exposed as a result.
GitHub destined push protection in April 2022 and the system has been in public beta since then, with the company making the secret scan feature generally available in May 2023.
IN blog post announcing the change, GitHub said its secret scanning tool “holds more than 200 types of tokens and samples from more than 180 providers.”
With secret scan push protection turned on by default, if a secret is discovered in a push to a public repository, users will be able to uncommit it or ignore the warning and bypass the block altogether.
Users can also choose to disable the feature entirely, although GitHub does not recommend this.
GitHub said it could take a week or two for the changes to apply to all accounts, but users can confirm their status and choose an early check-in by going into their code security and analytics settings
GitHub deals with “more than a dozen accidental leaks every minute”
GitHub’s Eric Tooley and Courtney Claessens explained that the inadvertent leakage of API keys, tokens, private keys, and credentials remains a pervasive problem, and one that has previously led to serious security breaches, reputational damage, and legal issues.
“In just the first eight weeks of 2024, GitHub discovered over 1 million leaked secrets in public repositories. That’s more than a dozen accidental leaks every minute.”
Demand for the tool to strengthen push protection is high, according to the company, which reported that since introducing the feature to its advanced security users, more than 95% of users choose to scan pushes to private repositories.
When it introduced the secret scan feature in April 2022, GitHub He said discovered more than 200,000 secrets in thousands of private repositories using the tool.
Now GitHub wants to do the same for open source and secure public repositories.
Vulnerabilities in open source code have increased significantly, according to a new Research from EDA experts Synopsys.
Synopsys’ report found that nearly three-quarters of all codebases estimated in 2023 contained high-risk open source vulnerabilities, a 54% increase compared to the previous year.
The US National Institute of Standards and Technology (NIST) has recognized the threat that exists in the software supply chain with new guidelines on how organizations can protect themselves.
The new guidelines state that security teams should approve the merging of unverified open source software sources and that developers should try to download open source code as source code instead of precompiled libraries.
GitHub itself struggled with accidental leaks in the past. In March 2023, the developer platform was forced to change its terminal code and replace its RSA SSH host key after it was inadvertently exposed.