Microsoft subsidiary, GitHub, rolled out its secret scanning service to all users on Dec. 15. This service was previously available only to GitHub Enterprise Cloud users with a GitHub Advanced Security license. GitHub’s secret scanning looks through public repositories for over 200 token formats. In 2022, GitHub alerted its partners to over 1.7 million security exploits.
“Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories,” read the GitHub blog.
Users will also get two-factor authentication (2FA) security feature in March 2023. GitHub had previously announced that it’d implement 2FA for high-impact package maintainers in Nov. 2022. However, it recently outlined 2FA’s wide-scale implementation across its 94-million user base.
Free Secret Scanning for All Users
The rationale behind GitHub’s free scanning tool is to prevent secrets and credentials compromises. A “secret” is a token or an authentication tool. Developers rely on them for communication with external services. Secret scanning takes place in Git history and all its branches.
As per the GitHub document, the secret scanning tool looks for known security vulnerabilities. This is something to keep in mind as a caveat, given that vulnerabilities can also be unknown (found only months after they occur).
That said, users can implement secret scanning alerts through “Code security and analysis” settings. Already exposed secrets are present under the “Vulnerability alerts” section. When you select any of the exposed secrets, you can view the exposure type and the remedial action you need to take.
Secret Scanning for Users and Partners
Users and partners get different forms of secret scanning on GitHub. Users constitute:
- Owners of public repositories on GitHub.com
- Organizations owning public repositories
- Organizations using GitHub Enterprise Cloud with a license for GitHub Advanced Security on repositories owned by the organization, including private and internal repositories.
On the other hand, partners get an alert when the same file has two keys. GitHub works with a number of partners to find exposed secrets. GitHub automatically alerts its partners when secret scanning detects a secret in a GitHub commit. The platform currently works with over 100 partners, including Adobe, Azure, Atlassian, Dropbox, Discord, Hubspot, Meta, Shopify, Stripe, etc.
Leaked Secrets Are Worrying
According to IBM, leaked credentials are the most common type of data breach. These data breaches cost more than $150,000 than the average data breach and take 327 days to identify. The IBM report, cited by GitHub, highlighted that 83% of companies could suffer from one or more of these data breaches. The report further recommends using automation tools, which can cut threat identification times by 74 days.
Leaked secrets are especially worrying in the context of the software supply chain. Google recently released a report concerning the software supply chain and open-source dependencies. With open-source software in wide circulation, a compromised commit can affect all developer dependencies. Moreover, the line between commercial and public software is growing thinner as commercial entities begin relying on open-source code.
Companies using open-source code allow cybercriminals an increasing number of attack vectors. Sadly, organizations cannot reduce these dependencies without also reducing operational efficiencies. Enforcing 2FA can be the best bet for companies in such a situation. And that’s what GitHub is working on implementing in the next phase to reduce the damage from attacks that target related software systems.
GitHub to Expand 2FA to All Users
In addition to free secret scanning, GitHub is also rolling out 2FA from March 2023 to all code contributors. 2FA increases network security by asking users for an additional passcode before logging them into an application. This stops cybercriminals from compromising a network unless they gain access to either the physical device or application.
The following user classes will be able to use 2FA:
- Users who’ve published GitHub, OAuth apps, or packages
- Users who’ve created a release
- Users who are Enterprise and organization administrators
- Users who contributed code to critical repositories like npm, OpenSSF, PyPI, or RubyGems
- Users who contributed code to the approximate top four million public and private repositories
By the end of 2023, 2FA will be mandatory for all users, including people who publish code on the platform — everyone will have to fulfill a 2FA login. Users who fail to enable 2FA will have 45 days before they’re blocked from using GitHub features. Overall, 2FA will make the software ecosystem safer for all parties. As a bonus to this, GitHub, like Google, is also adding passkey support, which is an alternative to passwords.
2FA—the Secret to Eliminating All Security Vulnerabilities?
Alex Weinert, Microsoft’s Director of Identity Security, said that an account using 2FA is 99.99% less likely to be compromised, whereas cybercriminals always compromise passwords. Microsoft research further stated that using powerful passwords doesn’t prevent compromises, but it’s still better than weaker passwords.
Google research also indicated that “adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”
Identity management is a significant issue. The debate around it will get even more heated as we increase the adoption of online authentication. GitHub has committed itself to protect its users’ and partners’ identities by rolling out 2FA and secret scanning, laying down an example for us all to follow.