GitHub developers have also expanded the capabilities of scanning for secrets of their platform for GitHub Advanced Security clients in order to automatically block secret leaks.
Scanning for secrets is an additional security parameter that organizations using GitHub Enterprise Cloud with a GitHub Advanced Security license can enable for a more detailed analysis of the repository. Scanning works by matching templates defined by the organization or provided by partners and service providers.
The new feature, known as push protection, is designed to prevent accidental disclosure of credentials before committing code to remote repositories. The new feature includes secret scanning in the developer workflow and works with 69 types of tokens (API keys, authentication tokens, access tokens, management certificates, credentials, private keys, secret keys, etc.).
If GitHub Enterprise Cloud identifies the secret before sending the code, the repository upload is blocked so that developers can view and delete secrets from the code they tried to send to remote repositories. Developers can also mark security warnings as false positives, test cases, or mark them for later correction.
Organizations with GitHub Advanced Security can enable protection against forced scanning of secret data both at the repository level and at the organization level through the API or with just one click in the user interface.
“To date, GitHub has discovered more than 700 thousand secrets in thousands of private repositories using secret scanning for GitHub Advanced Security. GitHub also scans our partners’ templates in all public repositories (for free),” GitHub noted.