GitHub strengthens credential protection when sharing code

Github has updated its Advanced Security service with a proactive data leak protection feature. This is implemented when developers push their code proposals to a remote repository via the git push command. The “push protection” functionality then goes through the code to block the sharing operation if it identifies “secrets”, i.e. sensitive information such as access keys, identifiers or API keys allowing an authentication.

This ability was featured a few days ago in a blog post. GitHub Advanced Security is offered for enterprises. It provides code analysis, dependency checking and “secret scanning” services to help ensure that this information is not exposed within a repository. When a secret is spotted, developers can verify that it is indeed confidential data and remove it before resubmitting their code. In the rare case where an immediate fix isn’t relevant, developers can move forward by marking the secret as a false positive, testing, or fixing to be done later, GitHub explains.

69 reliable models to detect secrets

With the proactive protection feature, secret scanning is embedded into the developer workflow. To ensure that this doesn’t hamper development productivity, push protection only supports key types that can be accurately detected. According to GitHub, its feature has already detected over 700,000 secrets within thousands of private repositories.

“Last year, we changed the format of our own secrets and started collaborating with other token issuers to create highly identifiable patterns,” GitHub recalls in its post. “Today we’re launching support for 69 highly reliable models that each have a signal-to-noise ratio that developers can trust.” GitHub checks over a hundred different types of tokens for secrets.