Commits With API Keys And Auth Tokens Can Now be Automatically Blocked by GitHub 

Commits With API Keys And Auth Tokens Can Now be Automatically Blocked by GitHub 

On Monday, GitHub revealed that its code hosting platform’s secrets scanning capabilities had been improved for GitHub Advanced Security clients, allowing them to stop secret breaches automatically. Secret scanning is an enhanced security feature that enterprises with a GitHub Advanced Security license may activate for extra repository screening in the GitHub Enterprise Cloud. 

It functions by matching patterns the company has set or patterns offered by service providers and partners. Each match is notified to the repos’ Security tab as a security alert or partners if it fits a partner pattern. 

Push protection is the latest feature that prevents credentials from being accidentally exposed before committing code to remote repositories. This new approach integrates secret scanning into the development process. It supports 69 token kinds (API keys, secret keys, access tokens, credentials, management certificates, authentication tokens, private keys, and more) that can be detected with a low “false positive” rate. 

“With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified,” said GitHub. “To make this possible without disrupting development productivity, push protection only supports token types that can be detected accurately.” 

If GitHub Enterprise Cloud detects a secret before pushing the code, the git push is halted until the developers have reviewed and removed the secrets from the code they attempted to push to remote repos. These security warnings can alternatively be labeled as false positives, test cases, or items to be rectified later by the developers. 

Secret scanning push protection may be enabled at both the repository and organization level using the API or with a single click via the user interface for organizations using GitHub Advanced Security. You should complete the following steps to enable push protection for your organization: 

  1. Navigate to the organization’s home page on 
  1. Click Settings from the drop-down menu next to your organization’s name. 
  1. Click Code security and analysis in the sidebar’s “Security” section. 
  1. Find “GitHub Advanced Security” under “Code security and analysis.” 
  1. Click on Enable all under “Secret scanning” and “Push protection.” 
  1. Optionally, click on “Automatically enable for private repositories added to secret scanning. 

You can also turn it on for individual repositories from the Settings > Security & analysis > GitHub Advanced Security dialog. Further information regarding the secret scanning capabilities can be found here, and more details on how to employ push protection from the command line or enable some secrets to be pushed from here. 

As previously documented, exposed credentials and secrets have resulted in high-impact breaches. As a result, allowing automatic secrets screening before submitting your code can help enterprises protect themselves from unintentional breaches while also improving supply-chain security. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.