Security Experts:

GitHub Now Scans Commits for Atlassian, Dropbox, Discord Tokens

Microsoft-owned GitHub on Monday announced that its token scanning service will also check commits for Atlassian, Dropbox, Discord, Proctorio and Pulumi tokens that have been accidentally shared.

Third-party token scanning was introduced by GitHub in October 2018 and became generally available in May. The service scans public repositories for accidentally committed tokens and alerts the company that issued the token so that it can be revoked before it’s used for malicious purposes.

GitHub initially scanned commits for token formats associated with Alibaba Cloud, AWS, Azure, Google, Mailgun, npm, Slack, Stripe and Twilio. The company said on Monday that it has also added Atlassian, Dropbox, Discord, Proctorio and Pulumi to the list of partners.

“Now if you accidentally check in a token for products like JIRA or Discord, the provider gets notified about a potential match within seconds of check-in, allowing them to revoke the token before it’s used maliciously,” explained Justin Hutchings, senior product manager at GitHub.

GitHub exposed token warning

According to GitHub, roughly one billion tokens have been sent to its scanning partners for validation since the launch of the service.

The company has advised cloud and API service providers interested in ensuring that their tokens don’t become compromised to reach out and sign up to become a partner. The process involves defining a regular expression to match their token format, setting up an API endpoint, and some paperwork.

Related: Slack Tokens Leaked on GitHub Put Companies at Risk

Related: Leaked GitHub API Token Exposed Homebrew Software Repositories

Related: GitHub Adds New Tools to Help Developers Secure Code

Related: Cybercriminals Using GitHub to Host Phishing Kits

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.