Categories: Tech NewsTechCrunch+

GitHub brings free secret scanning to all public repos

Every developer knows that it’s a bad idea to hardcode security credentials into source code. Yet it happens and when it does, the consequences can be dire. Until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security, but starting today, the Microsoft-owned company is making its secrets scanning service available for all public GitHub repos for free.

In 2022 alone, the company notified partners in its secret scanning partner program of over 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too.

Image Credits: GitHub

“With secret scanning we found a ton of important things to address,” said David Ross, a staff security engineer at Postmates. “On the AppSec side, it’s often the best way for us to get visibility into issues in the code.”

Now, if you host your code on GitHub, the company will automatically notify you directly about leaked secrets in your source code. This also means that you will get alerts for secrets where there isn’t a partner to notify (maybe because you self-host your HashiCorp Vault, for example).

To begin using the service, you have to enable the feature in their GitHub security settings. However, the rollout of the service will be gradual and it will not be available to all users until the end of January 2023.

GitHub’s own tool is, of course, not the only service that will scan for leaked secrets. There are also open-source tools like gitLeaks (which can integrate with GitHub actions) and a plethora of security companies like Nightfall and CheckPoint’s Spectral, though their services tend to go well beyond secret scanning and are generally geared toward enterprises.

GitHub brings free secret scanning to all public repos by Frederic Lardinois originally published on TechCrunch

Recent Posts

Unlocking the Secrets of JSON.stringify(): More Than Meets the Eye

JSON (JavaScript Object Notation) is a lightweight data-interchange format widely used in web development. At…

2 months ago

How to Handle AJAX GET/POST Requests in WordPress

AJAX (Asynchronous JavaScript and XML) is a powerful technique used in modern web development that…

3 months ago

Page Speed Optimization: Post-Optimization Dos and Don’ts

Introduction After successfully optimizing your website for speed, it's essential to maintain and build upon…

3 months ago

Ultimate Guide to Securing WordPress Folders: Protect Your Site from Unauthorized Access

Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential…

4 months ago

HTML CSS PHP File Upload With Circle Progress Bar

Creating a file upload feature with a circular progress bar involves multiple steps. You'll need…

5 months ago

Using WP Rocket with AWS CloudFront CDN

Integrating WP Rocket with AWS CloudFront CDN helps to optimize and deliver your website content…

5 months ago