GitHub To Offer Coders Free Scanning For Leaked Keys, Tokens, and Other Secrets (techcrunch.com) 4
TechCrunch reports:
Every developer knows that it's a bad idea to hardcode security credentials into source code. Yet it happens and when it does, the consequences can be dire. Until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security, but starting Thursday, the Microsoft-owned company is making its secrets scanning service available for all public GitHub repos for free.
In 2022 alone, the company notified partners in its secret scanning partner program of more than 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too.... However, the rollout of the service will be gradual and it will not be available to all users until the end of January 2023.
TechCrunch also notes there's alternatives (including open source GitLeaks).
In 2022 alone, the company notified partners in its secret scanning partner program of more than 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too.... However, the rollout of the service will be gradual and it will not be available to all users until the end of January 2023.
TechCrunch also notes there's alternatives (including open source GitLeaks).
I would appreciate that. (Score:3)
I work for a consultancy, delivering software development services for medium to large organizations. While I don't get to officially write code anymore, I do participate in audits.
Last week I found a secret that:
- Was the same in all environments, including production
- Was hard-coded into the application
- Was checked into an unsecured git environment
- Was peer reviewed and "passed"
It was a new grad who made the first mistake, but the not only didn't others catch it immediately, the ecosystem perpetuated the insecurity.
These are "professionals". While I'm generally happy with the work they do, this kind of thing screams "amateur hour", and could really damage our reputation. I would not be averse to a tool that catches it. Consider it the "spell checker" of this world.
Ask for assistance (Score:2)
I'd like clear guidance on how *not* to do this.
It's best if I explain by example. I have a PowerShell script that takes a .JWK file and uses it to request an auth token from Okta. I can store the .jwk (a certificate with private key) as either a separate file or as a multi-line string. How do I check that into github and have the certificate stripped out? Right now, my solution is to create an empty/fake JWK as a separate file, check that in, and then .gitignore the original. That can't be the best ap
Re:Ask for assistance (Score:5, Informative)
I'd like clear guidance on how *not* to do this.
It's best if I explain by example. I have a PowerShell script that takes a .JWK file and uses it to request an auth token from Okta. I can store the .jwk (a certificate with private key) as either a separate file or as a multi-line string. How do I check that into github and have the certificate stripped out? Right now, my solution is to create an empty/fake JWK as a separate file, check that in, and then .gitignore the original. That can't be the best approach, as it's super fragile.
Tell me a better way, and I'll do it.
Best practices for securely storing API keys [freecodecamp.org]