New security features for GitHub to protect secrets
Despite all security precautions, millions of secrets are still leaked from GitHub every year. New measures are intended to remedy the situation.
A protected laptop.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
- Manuel Masiero
According to GitHub, it blocks several secrets such as passwords or API keys that are secured with push protection every minute. Nevertheless, secret leaks remain one of the most common causes of security incidents on GitHub. To counteract this development, GitHub is now expanding security functions for developers.
As previously announced, GitHub is reorganizing the structure and availability of the GitHub Advanced Security (GHAS) security suite from April. GitHub is also offering a new scanning tool to help developers prevent the leakage of secrets.
GHAS becomes Secret Protection and Code Security
Since April 1, the functions of GHAS have been split into the individual packages GitHub Secret Protection (USD 19 per month) and GitHub Code Security (USD 30 per month) and can be booked independently of each other. Together, they are therefore just as expensive as the complete GHAS package at 49 US dollars per month.
At the same time, GitHub has improved the accessibility of the GHAS security functions. While GHAS was previously only available with GitHub Enterprise or the Microsoft Azure DevOps plans, GitHub is now also offering the two new individual packages for GitHub Team.
Videos by heise
Scan tool for secrets
A new scan tool for Enterprise Server from GHES 3.18 has also been available to developers since the beginning of April. Organizations with a GitHub Team or Enterprise plan can use it at no extra charge.
The scan tool can be found in the security tab of the GitHub dashboard and performs a security check for all public, private, internal and archived repositories. It then lists the following results, among others: the number of data leaks per secret type, the number of publicly visible secrets in the organization's public repositories and the number of affected repositories for each secret type. The results can be downloaded as a CSV file.
(Image:Â GitHub)
To prevent the disclosure of secrets, GitHub launched a partner program for secret verification several years ago. Hundreds of providers have now joined this program, including AWS, Google, Meta and OpenAI.
Last year, GitHub introduced push protection for public repositories as a further security component. It is designed to prevent sensitive information such as passwords or API keys from being accidentally transferred there.
There is not necessarily malicious intent behind the loss of secrets. The latest Data Breach Investigations Report from Verizon shows that it is often careless mistakes, such as accidentally making a repository publicly available, that lead to data leaks. In 2024, such mistakes were made more frequently than before. These missteps can quickly add up: In the Octoverse report, GitHub states that more than 39 million secrets were leaked from the platform in 2024, despite all security measures.
(mma)
