GitHub has recently extended its secret scanning capabilities to include repositories containing registry secrets of PyPI and RubyGems. This change is primarily intended to protect the millions of applications built by developers who may inadvertently commit secrets and credentials to the public GitHub repository. Currently, they will automatically scan repositories that expose PyPI and RubyGems secrets, such as credentials and API tokens.
GitHub will now scan PyPI, RubyGems for confidentiality
To take advantage of this feature, developers need to make sure their repositories have GitHub Advanced security enabled. GitHub says these features are permanently turned on for the public repository on GitHub.com and can only be disabled if the project’s visibility is changed so that the code is no longer public.
Similar to user names and passwords, secrets or tokens are strings that you can use to authenticate yourself when using a service. Applications that rely on third-party apis often use secrets (private API keys) in their code to access API services.
Therefore, it is important to be careful about confidentiality breaches, which can lead to larger attacks and even have the impact of software supply chain attacks. Previously, GitHub scanned accidentally submitted secrets like NPM, NuGet, and Clojars.
Currently, GitHub Advanced Security supports more than 70 different types of secret detection. These include open source registries such as NPM, PyPI, RubyGems, Nuget, Clojars, and non-package management services such as Adobe and OpenAI Secrets.
GitHub Advanced Security (GitHub) supports the following types of encryption:
What happens when a secret is discovered?
GitHub notifies registry maintainers when it discovers passwords, API tokens, private SSH keys, or other supported secrets that are publicly available in a public repository. For example, registry maintainers have recently added PyPI and RubyGems, and GitHub retracts public credentials and sends developers an email explaining why.
GitHub says that in any case they will automatically scan every submission to the common repository. The advantage of this is that if confidential information is exposed, it will be revoked in an automatic manner in a matter of seconds, rather than waiting for developers to handle it manually.
GitHub automates confidential scanning to help protect developer infrastructure from accidental leaks, while further strengthening software supply chain security. Nowadays code security with the software security, network security is as important, especially with DevSecOps become a popular trend, more and more enterprise team began to think about how security issues can be incorporated into the software of the whole life cycle, this makes the software security problem is no longer just test department, work plan should be established early into the safety consciousness, In the process of code writing combined with static code detection (SAST) technology, constantly find and repair code defects to reduce system vulnerabilities, in the test phase using SCA, DAST and other technologies to find system security problems, eliminate code security problems after the fact, but also to a certain extent to help enterprises avoid network attacks. At the same time, avoid economic losses caused by system security problems.
And read the links: www.woocoom.com/b021.html?i…
www.bleepingcomputer.com/news/securi…