On Monday, GitHub revealed that its code hosting platform’s secrets scanning capabilities had been improved for GitHub Advanced Security clients, allowing them to stop secret breaches automatically. Secret scanning is an enhanced security feature that enterprises with a GitHub Advanced Security license may activate for extra repository screening in the GitHub Enterprise Cloud.
It functions by matching patterns the company has set or patterns offered by service providers and partners. Each match is notified to the repos’ Security tab as a security alert or partners if it fits a partner pattern.
Push protection is the latest feature that prevents credentials from being accidentally exposed before committing code to remote repositories. This new approach integrates secret scanning into the development process. It supports 69 token kinds (API keys, secret keys, access tokens, credentials, management certificates, authentication tokens, private keys, and more) that can be detected with a low “false positive” rate.
“With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified,” said GitHub. “To make this possible without disrupting development productivity, push protection only supports token types that can be detected accurately.”
If GitHub Enterprise Cloud detects a secret before pushing the code, the git push is halted until the developers have reviewed and removed the secrets from the code they attempted to push to remote repos. These security warnings can alternatively be labeled as false positives, test cases, or items to be rectified later by the developers.
Secret scanning push protection may be enabled at both the repository and organization level using the API or with a single click via the user interface for organizations using GitHub Advanced Security. You should complete the following steps to enable push protection for your organization:
- Navigate to the organization’s home page on GitHub.com.
- Click Settings from the drop-down menu next to your organization’s name.
- Click Code security and analysis in the sidebar’s “Security” section.
- Find “GitHub Advanced Security” under “Code security and analysis.”
- Click on Enable all under “Secret scanning” and “Push protection.”
- Optionally, click on “Automatically enable for private repositories added to secret scanning.“
You can also turn it on for individual repositories from the Settings > Security & analysis > GitHub Advanced Security dialog. Further information regarding the secret scanning capabilities can be found here, and more details on how to employ push protection from the command line or enable some secrets to be pushed from here.
As previously documented, exposed credentials and secrets have resulted in high-impact breaches. As a result, allowing automatic secrets screening before submitting your code can help enterprises protect themselves from unintentional breaches while also improving supply-chain security.