Microsoft-owned GitHub on Monday announced that its token scanning service will also check commits for Atlassian, Dropbox, Discord, Proctorio and Pulumi tokens that have been accidentally shared.
Third-party token scanning was introduced by GitHub in October 2018 and became generally available in May. The service scans public repositories for accidentally committed tokens and alerts the company that issued the token so that it can be revoked before it’s used for malicious purposes.
GitHub initially scanned commits for token formats associated with Alibaba Cloud, AWS, Azure, Google, Mailgun, npm, Slack, Stripe and Twilio. The company said on Monday that it has also added Atlassian, Dropbox, Discord, Proctorio and Pulumi to the list of partners.
“Now if you accidentally check in a token for products like JIRA or Discord, the provider gets notified about a potential match within seconds of check-in, allowing them to revoke the token before it’s used maliciously,” explained Justin Hutchings, senior product manager at GitHub.
According to GitHub, roughly one billion tokens have been sent to its scanning partners for validation since the launch of the service.
The company has advised cloud and API service providers interested in ensuring that their tokens don’t become compromised to reach out and sign up to become a partner. The process involves defining a regular expression to match their token format, setting up an API endpoint, and some paperwork.