GitHub Tackles Secrets Leaks with Enhanced Security Tools
In 2023, more than 39 million API keys, credentials, and other sensitive secrets were unintentionally exposed on GitHub’s platform, underscoring a major challenge for developers worldwide. Despite GitHub’s proactive measures to block numerous secrets from entering production, the persistent issue of secret leaks remains a pressing concern. As a result, GitHub has taken steps to enhance its security offerings with a new update designed to help developers safeguard their sensitive data.
The issue of secrets leaks is often not the result of malicious intent but stems from accidental oversights. Many developers unknowingly expose secrets by committing, storing, or sharing them in ways that seem convenient in the moment. GitHub acknowledged this in a recent blog post, explaining that developers often underestimate the long-term risks associated with the private exposure of these secrets, inadvertently jeopardizing the security of their projects over time.
To combat this, GitHub has rolled out updates to its premium security product, GitHub Advanced Security (GHAS), aimed at providing developers with the tools they need to avoid these costly mistakes. A standout feature in the GHAS 3.18 update is the new point-in-time scan, which is available for free to subscribers. This scan can be accessed directly from the GHAS dashboard and enables developers to identify exposed secrets within their organizational code, while offering an in-depth risk assessment of each secret.
In an effort to make its security features more accessible, GitHub has also unbundled its GHAS offerings. Previously, secret scanning and push protection were part of a larger security suite, making it difficult for smaller organizations to fully invest in these tools. By splitting GHAS into standalone subscriptions for Secret Protection and Code Security, GitHub has lowered the barrier to entry, allowing smaller development teams to implement robust security measures without the need for a significant financial investment. This move is part of GitHub’s ongoing effort to ensure that developers, regardless of the size of their organization, can scale security efforts quickly and efficiently.