GitHub is making your code safer for everyone

News
By Sead Fadilpašić
published

Scanning for secrets has now gotten a lot easier

A developer writing code
(Image credit: Shutterstock / Elle Aon)

GitHub’s push protection feature, introduced as a beta in April 2022, is now generally available, the company has announced. 

The feature makes all code repositories safer by preventing them from leaking sensitive information such as API keys. 

Push protection works by scanning for secrets before “git push” operations are accepted, the company explained, adding that 69 token types are supported, including API keys, private keys, secret keys, authentication tokens, access tokens, management certificates, and similar.

GitHub security boost

While some false positives might happen, they should be few and far between.

"If you are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location, and how to remediate the exposure," GitHub said. "Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it's worth investigating."

Push protection has been in beta for more than a year now, and during that time, developers that used it managed to avoided 17,000 sensitive data leaks, and saved more than 95,000 hours they’d otherwise have to spend on addressing the issue of compromised data, GitHub claims. 

Read more

> GitHub takes down repository with Twitter source code

> GitHub unveils its huge code search makeover

> Check out the best firewalls

"Today, push protection is generally available for private repositories with a GitHub Advanced Security (GHAS) license," GitHub added. "In addition, to help developers and maintainers across open source proactively secure their code, GitHub is making push protection free for all public repositories."

If you’re interested in giving push protection a spin, you can do so via the API, or by clicking on the corresponding menu in the user interface: head over to GitHub.com > navigate to the main page > click Settings > look for “Security” and click “Code security and analysis” > find “Configure code security and analysis” and look for “GitHub Advanced Security” > Go to “Secret scanning” > find “Push protection” and enable it.

Devs can also enable it for single repositories by going Settings > Security & analysis > GitHub Advanced Security dialog.

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.