GitHub recently announced an expansion of its token scanning tool to allow scanning across all public repositories. The Microsoft owned company said this would be possible by teaming with third-party cloud providers. Today, GitHub confirmed some new partners that will be entering into the initiative.
If you're unfamiliar with token scanning, it is a feature announced around several years ago. It allows users to identify cryptographic secrets and revoke them before bad actors can exploit them. Last year, GitHub expanded the capabilities of token scanning to support more credential types.
During this week, Atlassian, Dropbox, Discord, Proctorio, and Pulumi will join Alibaba Cloud, Amazon Web Services, Azure, Google Cloud, Mailgun, NPM, Slack, Stripe, and Twilio in allowing token scanning on their platforms.
In a blog post, GitHub engineering manager Patrick Toomey said repositories are token scanned within minutes of going public. If a match to an encrypted SSH private key is found, GitHub informs the service provider with enough time for them to revoke tokens and notify the user.
“Composing cloud services like this is the norm going forward, but it comes with inherent security complexities,” says Toomey. “Each cloud service a developer typically uses requires one or more credentials, often in the form of API tokens. In the wrong hands, they can be used to access sensitive customer data — or vast computing resources for mining cryptocurrency, presenting significant risks to both users and cloud service providers.”
GitHub says the token scanning has been a big success. The company has sent over a billion token matches to service providers since October 2018.
In May, GitHub closed the purchase of Dependabot, a tool for automatically updating dependency licenses.
Dependabot is an open source service that allows users to automate dependency updates in their solutions.
The tool has been integrated into GitHub for dev's to use. The company says the new app searches dependencies in a project for security vulnerabilities and updates them automatically to newer versions.