If you’re unfamiliar with token scanning, it is a feature announced around several years ago. It allows users to identify cryptographic secrets and revoke them before bad actors can exploit them. Last year, GitHub expanded the capabilities of token scanning to support more credential types. In a blog post, GitHub engineering manager Patrick Toomey said repositories are token scanned within minutes of going public. If a match to an encrypted SSH private key is found, GitHub informs the service provider with enough time for them to revoke tokens and notify the user. “Composing cloud services like this is the norm going forward, but it comes with inherent security complexities,” says Toomey. “Each cloud service a developer typically uses requires one or more credentials, often in the form of API tokens. In the wrong hands, they can be used to access sensitive customer data — or vast computing resources for mining cryptocurrency, presenting significant risks to both users and cloud service providers.” GitHub says the token scanning has been a big success. The company has sent over a billion token matches to service providers since October 2018.
Dependabot
In May, GitHub closed the purchase of Dependabot, a tool for automatically updating dependency licenses. Dependabot is an open source service that allows users to automate dependency updates in their solutions. The tool has been integrated into GitHub for dev’s to use. The company says the new app searches dependencies in a project for security vulnerabilities and updates them automatically to newer versions.
