Putting security credentials in the source code is not a good idea. It happens, and the consequences can be severe. GitHub had previously made its secret scanning services only available to paid enterprise users who purchased GitHub Advanced Security. But, Microsoft-owned GitHub is now making their secrets scanning service free for all public GitHub repos.
The company notified partners in its secret scanning program of more than 1.7 million secrets exposed in public repositories in 2022. The service scans repositories looking for more than 200 token formats. Partners are then notified of possible leaks. You can also create your regex patterns.
Postmates staff security engineer David Ross said that secret scanning revealed many important issues to address. “On the AppSec side, it’s often the best way for us to get visibility into issues in the code.”
The company will notify you immediately about any leaked secrets if you have code hosted on GitHub. This means you’ll be notified of secrets that aren’t shared with a partner.
You must enable the feature in your GitHub security settings to allow you to use the service. The rollout of this service will take place slowly and will not be accessible to everyone until January 2023.
GitHub’s tool is one of many that can scan for leaks. Open source tools such as Gitleaks, which can be integrated with GitHub actions, and a plethora of security companies such as Nightfall and CheckPoint’s Spectral are also available. However, their services are broader than secret scanning and are usually geared toward enterprises.
Related Stories: