Microsoft-owned code hosting platform GitHub this week announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors.
The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, it helped identify 1.7 million potential secrets exposed in public repositories.
“Secret scanning alerts notify you directly about leaked secrets in your code. We’ll still notify our partners for your fastest protection, but now you can own the holistic security of your repositories. You’ll also receive alerts for secrets where it’s not possible to notify a partner—for example, if the keys to your self-hosted HashiCorp Vault are exposed,” GitHub explains.
Starting this week, the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. The feature is now rolling out in beta and GitHub expects it to reach all users by the end of January 2023.
Developers will find the option available in their repositories under ‘Code security and analysis’ settings. Secret scanning can be launched from the ‘Security’ tab, underneath ‘Vulnerability alerts’. A list of identified secrets will be available there, containing remediation suggestions for each of them.
On Thursday, GitHub announced that organizations that have defined custom patterns for their secret scanning can now enable push protection for them and configure it on a pattern-by-pattern basis.
“You can define custom patterns at the repository, organization, and enterprise levels. And now, you can also enable push protection for custom patterns at the organization or repository level. With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the code hosting platform says.
Custom patterns can be defined from the organization’s code security settings page, if GitHub Advanced Security and secret scanning are enabled. Organizations can dry run new patterns before publishing them and can enable ‘Push protection’ from the custom pattern’s page.
“GitHub recommends regularly checking your custom pattern’s alerts to make sure that you’re keeping false positive noise as low as possible for your developers. This strategic use of push protection can help you build trust between your contributors and their security alerts, so that alerts are properly actioned when needed,” the platform notes.
To further improve repository security, GitHub will require millions of developers on the platform to enable 2FA for their accounts in 2023. Initially announced in May, the requirement will be rolled out gradually starting March 2023 and is expected to reach all developers and contributors by the end of the year.
Mandatory 2FA targets users who publish GitHub or OAuth apps or packages, those who create a release, who are enterprise and organization administrators, and those who contribute code, either to the approximate top four million public and private repositories or to repositories deemed critical by NPM, OpenSSF, PyPI, or RubyGems.
“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.
The platform will start sending reminders to the targeted users 45 days prior to the mandatory 2FA deadline, will then prompt them to enable the feature each day when they access GitHub, and, seven days after the deadline, will block their accounts from accessing the platform’s features until 2FA is enabled.
“Twenty-eight (28) days after you enable 2FA, you will be presented with a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors or recovery codes during onboarding,” GitHub explains.