GitHub’s beta push protection program is now open to the public, auto scanning for a list of 230 token types. The service will proactively prevent leaks by scanning for secrets before a ‘git push’ operation is accepted. “If you are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location, and how to remediate the exposure,” GitHub said today.
Excerpts:
To help developers and maintainers across open source proactively secure their code, GitHub is making push protection free for all public repositories.
Push protection prevents secret leaks without compromising the developer experience by scanning for highly identifiable secrets before they are committed.
In certain instances, you may need to push code that has a secret in it–for example, fixing an outage with speed and addressing the secrets after. You can bypass push protection by providing a reason, for example, it’s used for testing, is a false positive, or is an acceptable risk that will be fixed later. Repository and organization administrators and security managers will receive an email alert on all bypasses and can audit any bypasses via their enterprise and organization audit logs, alert view UI, REST API, or webhook events.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“Overall, the push protection program by GitHub is a step in the right direction, and could be especially impactful in improving mobile app security, for critical fintech and healthcare apps that leak secrets in over 90% of the apps tested. This an excellent tool for developers to use in securing their code, however it is only effective if CISOs are committed to enforcing the use of the capabilities.
“Making push protection free for all public repositories is another positive that can lower the barriers to use of this technology. However, it’s worth noting that the push protection feature can slow down the development process, and this may lead developers to bypass the testing in certain instances. It will be very important for administrators to keep track of any exceptions and to audit regularly to ensure compliance with the security of the system.”
This is a good move as it protects users from their own mistakes. Which in today’s environment could have far reaching consequences. Good on you GitHub!