Sign in / up

back to article GitHub tackles leaks by scanning for secrets in pushed code

GitHub is aiming to help users avoid inadvertent leaks of confidential objects like access tokens by scanning repository content for such secrets before a git push is allowed to complete. The secret scanning capability is already a feature of GitHub Advanced Security, which is enabled for all public repositories on GitHub.com …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    "Organizations with GitHub Advanced Security "

    Only as secure as your payment.

    0 1 Reply
  2. captain veg Silver badge

    "GitHub has been working with service provider partners to push for them to implement patterns that can be more reliably identified"

    I'm no expert, but that looks like "weakening your encryption" to me.

    -A.

    0 5 Reply
    1. Joe W Silver badge
      Reply Icon

      Not sure about that...

      My guess (as good as anyone's) is that tokens would come with headers (or "tail" identifiers like in an .authorized_keys file or rather the public key part of an ssh key pair that define the user / domain / machine it was created for). These would only compromise security through obscurity, which is not much of the former as the latter is not easily achieved...

      6 0 Reply
    2. bombastic bob Silver badge
      Reply Icon
      Devil

      no, it's my assumption from that description that they want to identify what a 'secret' would look like for a particular provider.

      I have a script that I use to send information via inter-company mail with a daily cron job but of course it needs a user and password to contact the mail server to send it. So before checking in the script I sanitize the user and password, but I imagine it might get flagged now, depending. It's just a simple Perl script using the Mail object (as I recall) but if that's one of the 'patterns' used to find secrets I hope that it simply asks "are you sure" and lets it go through when you confirm it.

      Then again I always use the command line 'git' to push things so who knows...

      0 0 Reply
  3. Fruit and Nutcase Silver badge
    Mushroom

    a social media-style algorithmic feed with suggestions for developers to look at. About as annoying as Microsoft's forays into this type of things in Outlook. May I humbly suggest that whoever comes up with these ideas take a look where the Sun doesn't shine and let us get on with our work without hindrance.

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      re: get on with our work without hindrance.

      That is exactly what the likes of MS does not want. These companies want us to be viewing as many adverts for as long as possible.

      IMHO, they can go 'F' themselves.

      My machine (no MS, it is not yours to do with as you please) is a tool that I have set up for my work process. The last thing I want is for effing ads to start getting in the way.

      This is just another move by MS to monetize their raping of GitHub. The more that they do this, the more I feel justified in removing all my projects from GitHub the day after MS bought the site.

      3 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like