Related Articles
GitHub has introduced new security enhancements to its Advanced Security platform. This includes making security products available for purchase by enterprises as standalone products, the introduction of free, company-wide secret risk assessments of all repositories for exposed secrets, and improved leak detection in the cloud in partnership with providers including AWS, OpenAI and Google Cloud.
GitHub’s tightened security posture follows the detection of some 39m leaked secrets in its repositories last year, data that included confidential API keys, tokens, credentials and other sensitive information. “Every minute GitHub blocks several secrets with push protection,” GitHub said in a report announcing the new measures. “Still, secret leaks remain one of the most common—and preventable—causes of security incidents. As we develop code faster than ever previously imaginable, we’re leaking secrets faster than ever, too. That’s why, at GitHub, we’re working to prevent breaches caused by leaked tokens, credentials, and other secrets—ensuring protection against secret exposures is built-in and accessible to every developer.”
New security enhancements aim to reduce credential exposure
According to GitHub’s latest report, the 39m secrets exposed last year were ultimately identified through its secret scanning service, which detects and prevents the accidental inclusion of sensitive information. Precisely why so much confidential information was publicly exposed on GitHub was, according to reporting by BleepingComputer, the organisation said, mostly down to developers prioritising convenience over security and inadvertently exposing secret data.
As such, the company is now offering its ‘Secret Protection’ and ‘Code Security’ as separate products, making security tools more accessible to smaller teams. Other security enhancements include improvements to Push Protection, which now allows organisations to define who can bypass secret protection policies and the integration of Copilot-powered secret detection, using AI to identify unstructured secrets such as passwords while reducing false positives.
Alongside these security updates, GitHub has provided recommendations for users to minimise the risk of secret exposure. Developers are encouraged to enable Push Protection at the repository, organisation, or enterprise level to prevent secrets from being pushed to repositories. Additionally, GitHub suggests integrating security tools with CI/CD pipelines and cloud platforms to handle secrets programmatically, reducing human interaction that could lead to accidental exposure. Users are also encouraged to review GitHub’s best practices guide to ensure proper secret management throughout the development lifecycle.
Source link
