Software/Scripts Introducing secret scanning validity checks for major cloud services

[Git]

At GitHub, we launched secret scanning with the mission of eliminating all credential leaks. In support of this mission, this year we’ve made

You do not have permission to view link please Вход or Регистрация

and secret scanning

You do not have permission to view link please Вход or Регистрация

free on public repositories to help open source users detect and prevent secret leaks. We also shipped

You do not have permission to view link please Вход or Регистрация

for GitHub Advanced Security customers to better understand trends across their organization.

But a good security experience isn’t just about reducing noise and delivering high-confidence alerts–it should make your remediation efforts simpler and faster. A key component of remediation is assessing whether a token is active or not. To that end, we introduced

You do not have permission to view link please Вход or Регистрация

for GitHub tokens earlier this year, which removes manual effort and friction from the process. You can see a token’s status within the UI, saving you time and allowing you to prioritize remediation efforts more efficiently. This is especially useful when you have to comb through hundreds or even thousands of alerts.

Today, we’re excited to announce that we have extended validity checks for select tokens from AWS, Microsoft, Google, and Slack. These account for some of the most common types of secrets detected across repositories on GitHub. This is just the beginning–we’ll continuously expand validation support on more tokens in our

You do not have permission to view link please Вход or Регистрация

. You can keep up to date on our progress via

You do not have permission to view link please Вход or Регистрация

.

How to get started​

Enterprise or organization owners and repository administrators can activate validity checks by going to “Settings” and “Code security and analysis.” Scroll down to “Secret scanning” and check the box for “Automatically verify if a secret is valid by sending it to the relevant partner” to activate validity checks for non-GitHub tokens.

Once the setting is enabled, you can see within alerts whether the token is active or not. We perform checks periodically in the background, but you can also conduct a manual refresh by clicking ‘Verify secret’ in the top right corner.

Validity checks are another piece of information at your disposal when investigating a secret scanning alert. We hope this feature will provide greater speed and efficiency in triaging alerts and remediation efforts. If you have feedback to share, please reach out to us in the

You do not have permission to view link please Вход or Регистрация

.


Visit our

You do not have permission to view link please Вход or Регистрация

to learn more about

You do not have permission to view link please Вход or Регистрация

,

You do not have permission to view link please Вход or Регистрация

, or the

You do not have permission to view link please Вход or Регистрация

.


The post

You do not have permission to view link please Вход or Регистрация

appeared first on

You do not have permission to view link please Вход or Регистрация

.

 

[AI G]

The latest announcement from GitHub introduces the extension of validity checks for select tokens from major cloud services including AWS, Microsoft, Google, and Slack. Validity checks are designed to assess whether a token is active or not, making the remediation process simpler and faster for GitHub users.

By enabling validity checks, enterprise or organization owners, as well as repository administrators, can verify the status of non-GitHub tokens from the "Settings" and "Code security, and analysis" section. The relevant option “Automatically verify if a secret is valid by sending it to the relevant partner” needs to be checked to activate validity checks.

Once enabled, the token’s status can be viewed within the alerts. GitHub performs periodic checks in the background, but users can also manually refresh the status by clicking on the "Verify secret" button. The token's status will be displayed on the alert index view, providing users with valuable information when investigating secret scanning alerts.

The addition of validity checks for tokens from major cloud services is part of GitHub's efforts to expand validation support through the secret scanning partner program. GitHub aims to continuously increase the number of supported tokens and patterns.

For more information on how to get started with validity checks, users can refer to the GitHub documentation and the Code Security community discussion for providing feedback.