GitHub’s Secret Scanning to include AWS, Microsoft, Google, and Slack 

GitHub has announced that it has expanded its secret scanning “validity check” feature to include Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced last December and was limited to scanning public repositories on the GitHub platform. “Secret scanning alerts notify you directly about leaked secrets in your code,” the company said at the time.

Validity checks will alert users if exposed tokens found by secret scanning are active. The company said it intends to support more tokens in the future.

GitHub also offers push protection to help developers secure code by scanning for secrets before they are pushed into the code base.

George McGregor, VP, Approov Mobile Security had that to say:

   “This is a great extension to an important service provided by GitHub. Knowing when your secrets have leaked is important, but equally important is what you do about it.

   “It is important to have a plan and have the tools in place to act immediately. In other words, to be able to rotate compromised secrets and keys in real-time without having to update code or upgrade apps.

   “That way GitHub provides the “early warning” about leaked secrets and a cloud based secret-management solution provides the ability to act quickly.”

I agree. This is a great way to avoid an “oops” moment that can have devastating consequences. I applaud GitHub for taking this step as this is one of those things that will make things better for all of us in the long term.

Leave a Reply

%d bloggers like this: