GitHub now scans for secret leaks in developer workflows:
GitHub has introduced a new scanning feature for protecting developers from accidental secret leaks.
On April 4, the Microsoft-owned code repository said the GitHub Advanced Security suite has now been upgraded with a new push protection feature to prevent the leak of secrets that could compromise organization-owned projects.
GitHub Advanced Security is a licensed business product including code scanning, supply chain attack protection, and Dependabot alerts.
The new feature is an optional check for developers to use during their workflows before a git push is accepted. As of now, the scan will only check for "highly identifiable patterns" of potential leaks based on the collaborative efforts of GitHub and partner organizations, including token issuers.
There are 69 patterns in total that the tool will check for as potential indicators of secret leaks. In addition, over 100 different token types are checked.
(Score: 0) by Anonymous Coward on Thursday April 07 2022, @08:33AM
Then the leaks won't be a secret any more!
(Score: 4, Informative) by takyon on Thursday April 07 2022, @08:47AM (7 children)
https://www.theregister.com/2022/04/05/github_prevents_leaks_by_scanning/ [theregister.com]
https://nakedsecurity.sophos.com/2019/03/25/thousands-of-coders-are-leaving-their-crown-jewels-exposed-on-github/ [sophos.com]
I think we ran a story about some GitHub-hosted project compromising itself by putting a password in the source code. But the less severe leaks are happening often.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Thursday April 07 2022, @10:43AM
Who would trust developers that don't even tool for macro processors or sed to keep private, installation specific info in private config files? It's not "best practice", it's the only practice. It's not a "rookie mistake", it's basic competence.
(Score: 4, Insightful) by Thexalon on Thursday April 07 2022, @11:21AM (4 children)
The real kicker is: Why are people using Github for things they're trying to develop privately? You move code to somebody else's server, you should not assume it's private anymore, it's that simple.
If you're developing something that's not intended for public consumption (say, open-source code), set up your own git server [git-scm.com], it's really not that hard.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Informative) by Thexalon on Thursday April 07 2022, @11:23AM (3 children)
Oops, pre-coffee mistake there! I meant, of course, that anything proprietary should not go on Github, and open-source code can.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1, Informative) by Anonymous Coward on Thursday April 07 2022, @05:32PM
I mean, isn't the paid proprietary offering the way that Github makes its money?
Looks like, yes: https://github.com/enterprise [github.com]
So, I would say, don't fault too many people for using a product as designed.
(Score: 2) by maxwell demon on Thursday April 07 2022, @08:50PM
I honestly don't see the mistake there. You gave an example of something that's intended for public consumption (namely Open Source). That is, it's about developing something that is not Open Source (as well as also otherwise not intended for public consumption).
Yes, you could parse it differently, but I would only have considered that alternate parse for fun, not as the intended meaning.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by shrewdsheep on Friday April 08 2022, @08:17AM
You said it right there, pre-coffe mistakes are why shit hits the fan. It is somewhat ironic, isn't it?
(Score: 0) by Anonymous Coward on Friday April 08 2022, @01:37AM
Thanks for reading TFA for us. This would've been good in the summary. Appreciate your sharing.
(Score: 2) by Rich on Thursday April 07 2022, @10:45AM (2 children)
There's a matrix of who-gets-what at:
https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security [github.com]
To existing paying customers that's quite a "Nice code you have there, we'd like to make you an offer you can't refuse." approach. When you click through to the details, note that the open projects don't get the "advanced" stuff.
But you can bet that they scan everything and report that to YKW (*). I'm also quite sure they have additional "advanced" stuff in "beta" that has yet to be "rolled out", for "best user experience". Or so.
Oh well, not that YKW wouldn't scan the repos anyway. This just saves them work, and maybe they have preempted and spoiled some other project for the same task that would have taken them away a few of the juicy finds.
(*) You Know Who. Your favourite Three-Letter-Agency.
(Score: 0) by Anonymous Coward on Thursday April 07 2022, @04:30PM (1 child)
Suspicious of your government eh. I'd be more concerned about a certain two letter agency scanning my code for "secrets", like maybe one that brought GitHub.
(Score: 4, Interesting) by Rich on Friday April 08 2022, @12:29AM
No worries. They're not after exploits. But you bet they have an "interest indicator" that identifies quickly rising projects and, when those could interfere with their business, make an offer to purchase and bury it, or try to spoil them in other ways. Remember when they were bought, they were the single go-to location for the entire FLOSS scene.
I've recently wondered if there's an update to the Foley-VanDam graphics book. I have rev 2, which was a comprehensive tour-de-force through anything known about computer graphics in the 80s. But being that old, there is nothing about modern GPU tech inside, so I looked for an update. There is a rev 3 on offer, but the reviews say "This is effectively a new book, but not a good one, it's all WPF/C#-based and full of endless MS product placements. Stick with version 2." That's how it works today. Same as with Altium where some sorry influencers on YT have "Starting with Altium for hobbyists" videos, when KiCAD is steamrollering that scene. Simple "Three-B" strategy: Buy, Bury, or Both.
But MS themselves aren't going to hack anyone with scanned exploits. Heck, they have my business mobile number for Two-Factor-Auth and that phone didn't BSOD yet.