Standalone Secret Protection and Code Security – Now available as separate products, these tools no longer require a full GitHub Advanced Security license, making them more affordable for smaller teams. GitHub announced updates to its Advanced Security platform after it detected over 39 million leaked secrets in repositories during 2024, including API keys and credentials, exposing users and organizations to serious security risks. Free organization-wide secret risk assessment – A point-in-time scan that checks all repositories (public, private, internal, and archived) for exposed secrets, free for all GitHub organizations. GitHub also highlights the importance of reducing the risk by eliminating hardcoded secrets from source code altogether, instead using environment variables, secret managers, or vaults to store them. Copilot-powered secret detection – GitHub now uses AI via Copilot to detect unstructured secrets like passwords, improving accuracy and lowering false positives. Push protection with delegated bypass controls – Enhanced push protection scans for secrets before code is pushed and allows organizations to define who can bypass the protection, adding policy-level control. Improved detection via cloud provider partnerships – GitHub works with providers like AWS, Google Cloud, and OpenAI to build more accurate secret detectors and respond faster to leaks. "Previously, investing in secret scanning and push protection required purchasing a larger suite of security tools, which made it too expensive for many organizations. "Secret leaks remain one of the most common—and preventable—causes of security incidents," reads GitHub's announcement. This is happening despite GitHub's targeted protection measures like "Push Protection," which was introduced in April 2022 and was activated by default on all public repositories in February 2024. According to GitHub, the main reasons why secrets continue to leak are the prioritization of convenience by developers who handle secrets during commits and accidental repository exposure through git history. Apart from GitHub's initiatives and improvements, users are also given a list of recommended actions to protect themselves from secret leaks. GitHub announced several new measures and enhancements to existing systems to mitigate secret leaks on the platform. The platform suggests using tools that integrate with CI/CD pipelines and cloud platforms to handle secrets programmatically, reducing human interaction that can introduce errors and exposure. "As of today, our security products are available to purchase as standalone products for enterprises, enabling development teams to scale security quickly," explained GitHub. First, it is suggested that Push Protection be enabled at the repository, organization, or enterprise level to block secrets before they're pushed to a repository. Finally, GitHub users are recommended to review the 'Best Practices' guide and ensure they appropriately manage secrets end-to-end.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 02 Apr 2025 18:25:15 +0000