GitHub is making push protection – a security feature designed to automatically prevent the leaking of secrets to repositories – free for owners of all public repositories.
Previously, the feature was available only for private repositories with a GitHub Advanced Security license. This wider availability is aimed at helping developers and maintainers across open source proactively secure their code.
Prevent leaking secrets with GitHub push protection
Credential leakage is one of the most prevalent causes of data breaches in today’s digital landscape, fueled (among other things) by the common practice among developers of including sensitive information, such as passwords, encryption keys, or API keys, directly within the source code.
Whether this happens due to oversight, negligence, or lack of awareness regarding security best practices, the result is the same: the secrets can be discovered (and then abused) by threat actors.
Push protection stops the leaking of secrets by scanning a code commit before it gets pushed. Developers get alerted directly in their integrated development environment (IDE) or command line interface (CLI).
“If you are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location, and how to remediate the exposure. Once you have removed the secret from your commit history, you can re-push your commit,” GitHub’s Mariam Sulakian and Zain Malik explained.
“Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it’s worth investigating.”
In case developers need to push code that contains a secret because of an urgency, they can bypass push protection by providing a valid reason – repository and organization administrators and security managers will be notified by email.
Enabling push protection
Admins can enable the push protection feature in the GitHub code security and analysis settings. Both secret scanning and push protection can be enabled.
Enabling secret scanning and push protection (Source: GitHub)
“Secret scanning as a push protection currently scans repositories for secrets issued by some service providers,” GitHub explains, noting that secret scanning can be made to also check pushes for custom patterns.
Push protection might not support older versions of certain tokens, as well as legacy tokens.