GitHub Is Testing New Security Tools for Open-Source Code

Cloud-based code hosting service GitHub wants to make open-source material more secure. The Microsoft service is expanding safety features with two new offerings in beta. Secret scanning alerts are now free for all public repositories while push-notifications for custom secret patterns are also being made available. Open-source code is now incorporated into a whopping 97 percent of applications, according to Synopsys, which says 90 percent of organizations rely on it to varying degrees. Yet the very access that contributes to its popularity also leaves it vulnerable to malicious actors, as emphasized by the SolarWinds, Log4j and other breaches.

Argon Security indicates that “software supply chain attacks grew by more than 300 percent between 2020 and 2021,” according to VentureBeat, which notes Gartner found that 89 percent of companies had a risk event within the past five years.

“It’s a bad idea to hardcode security credentials into source code, yet it happens, and when it does the consequences can be dire,” TechCrunch writes, noting that “until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security,” but is now making secrets scanning available free to all public GitHub repos by the end of January 2023.

Exposed secrets and credentials are the most common cause of data breaches, according to a GitHub blog post that says the company’s secret scanning partner program checks repositories for more than 200 token formats and in 2022 notified partners of more than 1.7 million potential secrets exposed in public repositories to prevent the misuse of those tokens.

“Once enabled, GitHub directly notifies developers of leaked secrets in code. This enables them to easily track alerts, identify the leak’s source, and take action,” VentureBeat writes. “Vulnerabilities in open-source code can have a global ripple effect across the millions of people and services that rely on it,” explained GitHub senior product manager Mariam Sulakian.

Since its initial release in April, GitHub Advanced Security’s push protection has prevented more than 8,000 secret leaks across 100 secret types. Now, organizations that have defined custom patterns can enable push protection for those patterns, preempting leaks by scanning for secrets before breaches take place. After defining custom patterns at the repository, organization and enterprise levels, users can enable push protection for custom patterns at the organization or repository level.

With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern. “With push protection, businesses can prevent accidental leaks of the most critical secrets,” Sulakian said on VentureBeat, noting that with the enhanced capabilities, “organizations with GHAS have additional coverage for what are often their most important secret patterns: those customized and defined internally to their organizations.”

In addition to GitHub’s tool, Gitleaks will scan for leaked secrets (and integrates with GitHub actions) as do products from various security companies, “though their services tend to go well beyond secret scanning and are generally geared toward enterprises,” TechCrunch writes.

Dark Reading provides a guide to the most popular and highly rated open-source security offerings.

Okta’s Source Code Stolen After GitHub Repositories Hacked, Bleeping Computer, 12/21/22
Google Debuts OSV-Scanner – a Go Tool for Finding Security Holes in Open Source, The Register, 12/15/22
Study Finds AI Assistants Help Developers Produce Code That’s More Likely To Be Buggy, The Register, 12/21/22
Top GitHub CoPilot Hacks that Python Developers Should Know, Analytics Insight, 12/31/22
Why Attackers Target GitHub, and How You Can Secure It, Dark Reading, 12/27/22

No Comments Yet

You can be the first to comment!

Leave a comment

You must be logged in to post a comment.