GitHub is one of the largest code repository platforms developers use worldwide.
Developers belonging to an organization, individual developers, and enterprise developers use this platform to commit and push the codes inside their repository.
Microsoft took over the code repository platform in 2016, and there were several additional features after that.
In April 2022, GitHub introduced the beta version of the push protection feature for GitHub Advanced Security users.
This feature scans for potential secrets on the code being pushed to GitHub and alerts the developers on how to fix them.
Ever since the release of this feature, it has prevented 17,000 potential secrets from leaking, amounting to 95,000 hours of revoking, rotating, and remediating the exposed secrets.
The push protection feature was limited to users with GitHub Advanced Security License.
However, GitHub has announced that they will release the push protection feature free for all public repositories, which can proactively help open source developers maintain security on their code.
GitHub has partnered and worked closely with service providers (API) to enhance the push protection feature. Hence, the rate of false positives on this feature will be negligible.
GitHub also stated that if the developers are prompted with alerts on the push protection feature, it is worth investigating it.
Ger McMahon, Product Leader of ALM Tools and Platforms at Fidelity Investments, stated, “Incorporating secret scanning with push protection directly into the development workflow reduces friction, enabling developers to create secure and high-quality code.”
Push protection can detect the type of secret exposed and provide remediation steps through a prompt on their IDE or guidance on the command line interface.
Developers also have the option to ignore these push protection prompts by mentioning them as false positive, testing, acceptable risk, or can be fixed later.
However, these responses are recorded through organization or enterprise audit logs which can be investigated by security managers or administrators later.
To enable push protection in the repository, users must go to “Code Security and analysis” on their repository and enable the “Push Protection” option in the secret scanning section.
This push protection feature can also be customized based on a custom secret pattern for additional protections based on the organization’s requirements.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus