GitHub can now block commits with API keys, auth tokens


GitHub announced Monday that it has expanded the scanning capabilities of its code hosting platform for GitHub Advanced Security customers to automatically block secret leaks.

Secret scanning is an advanced security option that organizations using GitHub Enterprise Cloud with a GitHub Advanced Security license can enable for additional repository scanning.

It works by matching patterns defined by the organization or provided by partners and service providers. Each match is reported as a security alert on the Security tab of the repos or to partners if it matches a partner pattern.

Automatically blocks exposure to accidental secrets

The new feature, known as push security, is designed to prevent login credentials from being accidentally released before code is committed to external repositories.

This new capability integrates secret scanning into the developers’ workflow, and it works with 69 token types (API keys, authentication tokens, access tokens, management certificates, credentials, private keys, secret keys and more), detectable with a low “false positive” detection rate. .

“With push security, GitHub will check for confidential secrets as developers push code and block the push if a secret is identified,” GitHub said.

“To enable this without disrupting development productivity, push security only supports token types that can be accurately detected.”

If GitHub Enterprise Cloud identifies a secret before pushing the code, the git push is blocked so that the developers can view and delete the secrets of the code they were trying to push to external repos.

The developers may also label these security warnings as false positives, test cases, or mark them for fixing later.

Enable secret scanning push protection

Organizations with GitHub Advanced Security can enable the secret scanning push security feature at both the repository and organization level via the API or with just one click from the user interface.

The detailed procedure for enabling push protection for your organization requires that you:

Navigate to the main organization page on Under your organization’s name, click Settings. In the “Security” section of the sidebar, click Code Security and Analysis. Under ‘Code Security and Analytics’, search for ‘GitHub Advanced Security’. Under “Secret Scanning,” under “Push Protection,” click Enable All. Optionally, click on “Automatically enable for private repositories added to secret scanning”.

You can also enable it for individual repositories by turning it on in the Settings > Security & Analytics > GitHub Advanced Repository Security dialog.

GitHub secret scanning push protectionEnable push protection for GitHub secret scan (GitHub)

You can learn more about the secret scanning capabilities and additional details about using push security from the command line or how to push certain secrets from here.

“To date, GitHub has detected over 700,000 secrets in thousands of private repositories using secret scanning for GitHub Advanced Security; GitHub also scans for our partner patterns across all public repositories (free),” added GitHub.

“Today we’re adding the option for GitHub Advanced Security customers to prevent leaks by scanning for secrets before accepting a Git push.”

As BleepingComputer previously reported [1, 2, 3]exposed credentials and secrets have led to major breaches.

Therefore, enabling automated scans of secrets before your code is captured takes organizations one step closer to protecting themselves from accidental leaks and increasing supply chain security.

This post GitHub can now block commits with API keys, auth tokens

was original published at “”