GitHub secret scanning now supports PyPI and RubyGems

by ·

GitHub recently extended its secret scanning feature to repositories containing PyPI and RubyGems registry secrets to prevent Ruby and Python developers from inadvertently submitting secrets and credentials to their GitHub repositories.

A secret, also known as a token, is a unique string used for authentication. When writing software, developers usually use some third-party software to avoid “reinventing the wheel”. Sometimes, third-party software can be imported into the code, but it must be communicated with an external service before it can be used. At this time, confidentiality is required for verification, similar to using a username and password to log in to an account. For example, on GitHub, if a user wants to use the API to modify their account or repository, they need to generate a personal access token.

GitHub secret scanning is a service that scans pushes to repositories, searches for potentially exposed secrets to ensure the security of users’ codes and third-party accounts. Public repositories will be scanned automatically, private repositories need to manually enable this service. Currently, GitHub has cooperated with more than 40 cloud computing providers to scan more than 70 different types of secrets. When it discovers a secret, it will be sent directly to the third-party cloud provider for revocation or notify the user of the repositories.

According to the official announcement, GitHub Secret Scan has recently added support for RubyGems and PyPI secrets and also scans the secrets of npm, NuGet, and Clojars. Taking RubyGems as an example, if a user submits the API key of RubyGems to a public repository, GitHub Secret Scan will find the secret when the submission is automatically scanned and notify RubyGems of the leak. RubyGems will then revoke the secret and send an email to the user informing them that the secret has been leaked.

GitHub said that it will continue to add support for new confidential types (for any cloud provider, not just package management services), such as the recently added non-package management services Adobe and OpenAI. For details of the GitHub Secret Scan, you can check the official document.

Tags: