GitHub Secret Scanning is now Free (as in Beer)

Microsoft’s GitHub source control service will help stop devs accidentally embedding secrets in public code repositories. A new free service will let you know if you’ve done something you shouldn’t have.

For example, private keys or database access tokens. Easy to accidentally check in without thinking. But not something you want a malefactor to discover. It’s a big problem.

Naturally, there’s no such thing as a free lunch. GitHub wants you to upgrade to the premium version of the service. In today’s SB Blogwatch, we look a gift horse in the mouth.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: AnDyWuMusicland’s 2022.

Can You Keep a Secret?

What’s the craic? Sergiu Gatlan reports—“GitHub rolls out free secret scanning for all public repositories”:

Prevent the fraudulent use of any secrets
Secret scanning is a security option that organizations can enable for additional repository scanning to detect accidental exposure of known types of secrets … (such as credentials and auth tokens). … Exposed credentials and secrets have led to high-impact breaches. … Enabling secrets scanning is an easy way for organizations using GitHub to increase supply-chain security and safeguard themselves from accidental leaks.

It works by matching patterns provided by partners and service providers or defined by the organization. Each match is reported as a security alert in the repo’s Security tab or to partners if a partner pattern triggers the match … thus allowing organizations to easily track alerts, identify a leak’s source, and quickly take action to prevent the fraudulent use of any secrets committed to a public repo by accident.

Déjà vu? Tara Seals explains—“GitHub Expands Secret Scanning”:

Can recognize over 200 known token formats
Up until now, the service was available to paid enterprise users. … The new policy will provide the service for free to all public GitHub repositories.

While the scanner can recognize over 200 known token formats, there is also the option to define custom regex patterns. … Developers will be able to find this option in their repository settings [in] a section called Vulnerability alerts, and a Security tab. All secrets found by the service will be displayed in the same section, along with suggested ways to remediate the exposures.

Horse’s mouth? Mariam Sulakian and Zain Malik—“Leaked a secret? Check your GitHub alerts”:

Own the holistic security of your repositories
Exposed secrets and credentials are the most common cause of data breaches and often go untracked. With an average of 327 days to identify [them] credential leaks can lead to severe consequences. Still, organizations struggle to detect leaks at scale and take prompt action.

Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. … You’ll always have easy tracking across all alerts to drill deeper into the leak’s source and audit actions taken on the alert. … If you’re a service provider and interested in protecting our shared users from leaking secrets, we encourage you to join the secret scanning partner program.

I can feel the wind of change. Perhaps because dhines5 is a big fan: [You’re fired—Ed.]

Sounds like a great feature, it’ll give peace of mind knowing that I didn’t commit something sensitive by accident. I’ve always assumed there are hordes of bots that crawl public repos looking to steal secrets.

It’s about time. flatiron is surrounded by idiots:

Good on them. GitHub secrets cause a lot of problems. They will always create a better idiot but this idiot trap is long past due. I also can’t wait until people base64 their creds to get past this.

“Idiots” is a bit strong, though? Here’s Petersko’s experience:

I work for a consultancy, delivering software development services for medium to large organizations. … Last week I found a secret that:
– Was the same in all environments, including production
– Was hard-coded into the application
– Was checked into an unsecured git environment
– Was peer reviewed and “passed.”

It was a new grad who made the first mistake, but not only didn’t others catch it immediately, the ecosystem perpetuated the insecurity. These are “professionals.” While I’m generally happy with the work they do, this kind of thing screams “amateur hour”, and could really damage our reputation. I would not be averse to a tool that catches it. Consider it the “spell checker” of this world.

Wait. Pause. How is this even happening? As rieTohgh6 describes, daft devs definitely do deviate:

People keep adding whole tmp/ directories or output binaries to repositories, accidents like this stuff just happening. … For a scenario: People trying to run some test, on real service, to debug some weird issue, will temporary put in credentials and forget to remove them before committing the fix. Sure, someone probably will notice it in code review but it is too late if repo was public.

Free is the magic number. But u/Nothemagain imagines GitHub product managers rubbing their hands with glee:

Until we find something then we make the repo private. And get you to upgrade. Freeee.

Meanwhile, evdubs decks the halls:

Do you think they call this service their “Secret Scanta”?

And Finally:

Next 2022 roundup mashup

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Kristina Flour (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi