GitHub makes scanning for secrets available for all public repos
GitHub now blocks all information such as api keys and private and secret keys in public repositories by default. Other identifiable and sensitive information will also be blocked from now on if users push to an open repo via git. The feature was previously in beta.
GitHub writes in a blog post that the function called ‘push protection’ is now widely available. That availability applies to all public repos on the platform. Furthermore, users can apply the feature to private repos if they have an Advanced Security subscription.
Push protection scans every commit to a public repo for the presence of secrets or sensitive information. This concerns API keys, access tokens, secrets or passwords that are in code. GitHub also blocks certificates and other potentially sensitive information by default. GitHub says it’s working with several parties to help keep the number of false positives low. The company works together with other services such as AWS and Google.
The feature works directly from both IDEs with GUIs and from the command line if users use tools like git. Users who push code with secrets in it will see a warning. It can be ignored, but users must then enter a reason why it is necessary to enter a secret. If they do this within the repo of a large organization, the administrators will be notified.
The feature came out in beta last year, but was then only available to Advanced Security users. During the beta period, 17,000 leaks were blocked, says GitHub.