Home > GitHub Security
Faissal Salami
27 October 2022
Lire cet article en Français

GitHub Security

GitHub Security

Git Hub is a private or public source code repository that allows developers to host and share their code. 

There may be an increased risk of so-called sensitive information that is unintentionally or unknowingly supplied to this platform being leaked. This may include API keys, identifying information, and other digital authentication strings. 

According to a GitGuardian study, secrets in source code have seen a massive increase of around 50% since 2020. 

Several large organizations have had security breaches due to leaks and the discovery of secrets in employee repositories.  

Toyota recently reported that customers’ personal information may have been exposed after an access key had been made public in their repository for five years. 

In addition, some projects use dependencies, leaving them open to vulnerabilities. 

GitHub has several built-in security features to protect projects: 

  • Secret scanning 
  • Code scanning 
  • Dependabot: 
  • Dependabot alerts 
  • Dependabot security updates 
  • Dependabot version update 

 

GitHub’s Built-in Features 

 

GitHub’s built-in features can secure secrets and code. Some capabilities are included in the basic package, while others require a GitHub Advanced Security license. 

The table below outlines GitHub’s advanced security features for public and private projects. 

Documentation GitHub

Source: GitHub documentation 

 

The features can be enabled either at the repository or organizational level.  

 

Secret scanning 

 

Some projects need to be connected to apps. For example, when using Terraform, you can use an app registration to perform a deployment. Unfortunately, if all the information from the app registration is included with the code, anyone with access to the repository can use this information to access Azure in this scenario. 

Secret scanning is a feature that lets you scan repositories for tokens or authentication keys.  

GitHub created a database that allows the tool to recognize the form of the IDs thanks to its collaboration with multiple providers (AWS, Azure, GCP, Databricks, Atlassian, etc.). 

Example of the data that the vendors support: 

Exemple de code sur Github

Source: GitHub documentation 

 

The scan is performed automatically on the entire Git history on all branches. 

When GitHub detects a secret, it sends an email to the repository administrators, the organization owner, the author who pushed the code to GitHub, and the service provider that provided the secret. 

When the provider is notified that a secret has been compromised, it can revoke it, generate a new secret, or contact the user. 

The interface shows the list of secrets. 

Document Microsoft secrets visibles dans l'interface Github

Source: Microsoft documentation 

 

Once the secret has been pushed to the repository, it must be considered compromised. The next step is to: 

  • Generate a new secret 
  • Update the secret in all applications 
  • Remove the compromised secret 
  • Resolve the alert in Git 

Push Protection has been added to GitHub Enterprise Server and Cloud Enterprise in beta. This option lets you check for secrets when you push the code. If a secret is found, the author is notified so they can remove it before it gets pushed to the repository. 

 

Code scanning 

 

Code scanning analyzes the code to detect vulnerabilities and errors automatically. 

The analysis can be performed regularly via a scheduled job or when a specific event occurs, such as when a developer pushes their code. 

It lets you sort and prioritize fixes for problems in your code. It also prevents developers from making fresh mistakes.  

The engine that does this is CodeQL, which GitHub developed. 

There are two ways to use CodeQL: 

  • Add the CodeQL workflow to your repository. GitHub/codeql-action is used to run the CodeQL CLI interface. 
  • Use an external integration system to run the CodeQL CLI directly and upload the results to GitHub. 

CodeQL supports the following compiled and interpreted languages: 

C/C++, C#, Go, Java, JavaScript, TypeScript, Python, and Rubis 

 

Dependency 

 

Some projects depend on third-party applications, which can be a security risk if the dependencies have vulnerabilities. 

GitHub provides tools that can help you find and fix vulnerabilities: 

  • Dependency graph: lets you monitor the code and look for dependency manifests. It is generated automatically for public repositories. 
  • Dependency review: shows which dependencies have been added, removed, or updated in a pull request. 
  • Dependabot: This is a service that updates dependencies automatically. It analyzes the repositories and automatically generates a pull request if an element can be updated. The dependency graph must be enabled for Dependabot to work. 
  • Dependabot alerts: issue alerts about dependency vulnerabilities in public repositories. 
  • Dependabot security updates: automatically update vulnerable dependencies or generate a pull request. 
  • Dependabot version updates: automatically update all packages used by your repository. 

 

So, to prevent potential mistakes, it’s important to implement features that are easy to activate. 

 

Would you like to learn more about cloud security? Don’t hesitate to contact our experts! You can also read the entire Cloud Security Month series of posts here:  

 

accompagnement securite Cloud Cyber Cellenza

This posts should interest you
Comments
Leave a Reply

Receive the best of Cloud, DevOps and IT news.
Receive the best of Cloud, DevOps and IT news.