Roughly a year ago, GitHub expanded token scanning — a feature that identifies cryptographic secrets so they can be revoked before malicious hackers abuse them — to support a wider range of credential types. More recently, the Microsoft-owned company teamed up with third-party cloud providers to enable scanning on all public repositories, and today it revealed that new partners will soon enter the fray.
Starting sometime this week, Atlassian, Dropbox, Discord, Proctorio, and Pulumi will join Alibaba Cloud, Amazon Web Services, Azure, Google Cloud, Mailgun, NPM, Slack, Stripe, and Twilio in facilitating scanning for their token formats. Now, if someone accidentally checks in a token for products like Jira or Discord, the corresponding partner will be notified about a possible match and receive metadata, including the name of the affected code repository and the offending commit.
As GitHub product security engineering manager Patrick Toomey explains in a blog post, most commits and private repositories are scanned within seconds of becoming public. (Token scanning doesn’t currently support private codebases.) When a match to a known unencrypted SSH private key, GitHub OAuth token, personal access token, or other credential is detected, the appropriate service provider is notified, giving them time to respond by revoking tokens and notifying potentially compromised users.
“Composing cloud services like this is the norm going forward, but it comes with inherent security complexities,” wrote Toomey. “Each cloud service a developer typically uses requires one or more credentials, often in the form of API tokens. In the wrong hands, they can be used to access sensitive customer data — or vast computing resources for mining cryptocurrency, presenting significant risks to both users and cloud service providers.”
GitHub also announced today that it has sent more than a billion token matches since October 2018.
The milestone and new token scanning partnerships come months after GitHub revealed that it had acquired Dependabot, a third-party tool that automatically opens pull requests to update dependencies in popular programming languages. Around the same time, GitHub made dependency insights generally available to GitHub Enterprise Cloud subscribers, and it broadly launched security notifications that flag exploits and bugs in dependencies for GitHub Enterprise Server customers.