Imagine the following situation: you are uploading a new code to the GitHub, but, without realizing it, publishes something confidential. With that in mind, the platform Microsoft announced, this Thursday (15), a scan to alert developers if there is sensitive information in a public repository. And the best: it’s free.
The update is part of a tool that was already available to some platform partners.
With the change, the platform will continuously scan public repositories to detect keys and other types of stored credentials. If the system finds something in this area, the person responsible for the channel will be alerted immediately to resolve the situation.
All this worry is not in vain. According to GitHub, in 2022 alone, more than 1.7 million potential partner secrets were exposed in public repositories. And the year isn’t even over yet.
This sensitive data can cause considerable damage if it falls into the wrong hands. For example, if a private key is improperly stored in the GitHubdepending on the situation, a hacker may use the credential to invade a system and collect other sensitive information.
The same can happen with logins and passwords stored in plain text, a problem that has already affected even large companies.
How does GitHub scanning work?
The operation is quite simple.
The parsing function checks the files stored in the repository. Therefore, when uploading some confidential information, the system will scan it and notify you so that measures are taken as soon as possible.
“You will always have easy tracking of all alerts to drill down to the source of the leak and audit the actions taken on the alert,” stated🇧🇷
To use the new feature, you need to activate the feature in your repository.
If your account is already eligible, just enter the repository settings and access the “Code security and analysis” option. Then just activate the code scanning (“code scanning”, in English).
Reports with analysis information will be available on the “Security” tab.
“We will begin our gradual public beta rollout of secret verification for public repositories this Thursday (15th) and expect all users to have the feature by the end of January 2023,” they explained.