GitHub enables secret scanning push protection by default

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


In response to the alarming trend of API keys, tokens, and other confidential data being inadvertently exposed, GitHub has taken further steps to fortify its platform against potential breaches.

Within the first two months of 2024, GitHub has uncovered one million leaked secrets across public repositories, averaging over a dozen incidents per minute. Such alarming figures underscore the pressing need for robust safeguards to protect users and their data.

Since August last year, GitHub has offered users the option to opt-in to secret scanning push protection—a feature designed to automatically intercept and block commits upon the detection of sensitive information. Building on this initiative, GitHub has now made secret scanning push protection mandatory for all pushes to public repositories.

The recent rollout of push protection marks a significant stride towards bolstering the security posture of GitHub’s vast user base. Under this new framework, users will be presented with the option to either remove the detected secret from their commits or, if deemed safe, bypass the block. While the transition to this enhanced security protocol may take a week or two to apply universally, users can proactively verify the status and opt-in early through the code security and analysis settings.

Acknowledging the potential ramifications of leaked secrets, GitHub underscores the importance of safeguarding not only private repositories but also public ones, which are integral to the open-source community. With over 95 percent of pushes to private repositories already being scanned by GitHub Advanced Security customers, extending push protection to public repositories reflects a commitment to upholding the integrity and security of the entire GitHub ecosystem.

Despite the implementation of push protection, GitHub affirms users’ autonomy in managing their security preferences. While the default setting is to enable push protection, users retain the flexibility to bypass the block or disable push protection entirely through their user security settings. However, GitHub strongly advises against disabling push protection outright—advocating instead for a judicious approach where exceptions are made on a case-by-case basis.

For organisations leveraging the GitHub Enterprise plan, additional security features – including GitHub Advanced Security – are available to fortify private repositories against potential breaches. This comprehensive DevSecOps platform solution encompasses secret scanning, code scanning, AI-powered autofix code suggestions, and other static application security (SAST) features.

GitHub’s secret-scanning technology encompasses over 200 token types and patterns from more than 180 service providers; boasting industry-leading precision and minimising false positives. By leveraging the collective efforts of the community, GitHub aims to prevent the inadvertent exposure of sensitive information on public repositories.

Earlier this week, research from Apiiro found that over 100,000 repositories on GitHub are infected with malicious code. The platform has been grappling with an ongoing “repo confusion” attack, where thousands of repositories flooded with obfuscated malware have targeted the platform.

These attacks are part of a larger malware distribution campaign, reminiscent of tactics disclosed by Phylum last year. The campaign relies on deceptive Python packages hosted on cloned repositories to disseminate a malicious payload known as BlackCap Grabber.

GitHub’s rollout of automatic push protection serves as a critical defence mechanism against such nefarious activities, providing users with enhanced visibility and control over their repositories’ security.

(Photo by Kristina Flour on Unsplash)

See also: Python packages caught using DLL sideloading to bypass security

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *