GitHub Improves Secret Scanning Feature With Expanded Token Validity Checks


Software development giant GitHub on Wednesday announced an enhancement to its secret scanning feature, now allowing users to check the validity of exposed credentials for major cloud services.

Generally available since March 2023, the secret scanning feature is meant to help organizations and developers identify potentially exposed secrets in their repositories and take immediate action.

Backed by a large number of service providers in the GitHub Partner Program, the feature sends alerts to developers when exposed self-hosted keys are detected, and also notifies GitHub partners of leaked secrets in public repositories.

Developers and administrators can enable secret scanning for all their repositories to receive notifications as soon as a secret is inadvertently included in a code commit.

To help organizations and developers triage alerts and remedy exposed tokens faster, GitHub introduced validity checks for its own tokens earlier this year, eliminating the need to check whether each exposed token is active or not.

Now, the code-hosting platform is expanding the capability to AWS, Google, Microsoft, and Slack tokens, GitHub said.

“These account for some of the most common types of secrets detected across repositories on GitHub. We’ll continuously expand validation support on more tokens in our secret scanning partner program.

Advertisement. Scroll to continue reading.

Enterprise owners and repository administrators can enable the validation checks under “Code security and analysis” in “Settings”, by enabling “Automatically verify if a secret is valid by sending it to the relevant partner” option in the “Secret scanning” section.

After enabling the setting, information on whether an exposed token is active or not will be included in the received alerts.

The checks, GitHub says, are performed periodically in the background, but manual checks can also be made, by clicking ‘Verify secret’ in the top right corner.

“Validity checks are another piece of information at your disposal when investigating a secret scanning alert. We hope this feature will provide greater speed and efficiency in triaging alerts and remediation efforts,” GitHub added.

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Enterprise Server Gets New Security Capabilities

Related: GitHub Announces New Security Improvements



Source link