github announced about enhancing protection against contact in the repository of confidential data, Upon not seemingly left by developers in the code. For example, it happens that configuration files with passwords to DBMS, tokens or access keys to the API fall into the repository.
Earlier, the scanned was carried out in passive mode and allowed to identify the leakage that had already happened in the repository. To prevent GitHub leaks, it has additionally begun to provide an option to automatically block commits in which confidential data is revealed.
Checking is performed when executing Git Push and leads to generating a security violation warning in case of detection in the code of the tokens to connect to the Type API. A total of 69 templates to identify various types keys, tokens, certificates and credentials. To eliminate false positives, only the guaranteed defined types of tokens are checked. After blocking, the developer is invited to review the problem code, eliminate leakage and repeat the commit or mark the lock false.
Option for preventive leak blocking is still available only to organizations having access to the “Github Advanced Security” service. Scanning in passive mode is free for all public repositories, but remains paid for private repositories. It is reported that passive scanning has already revealed more than 700 thousand leaks of confidential data in private repositories.