GitHub Security

Git Hub is a private or public source code repository that allows developers to host and share their code.
There may be an increased risk of so-called sensitive information that is unintentionally or unknowingly supplied to this platform being leaked. This may include API keys, identifying information, and other digital authentication strings.
According to a GitGuardian study, secrets in source code have seen a massive increase of around 50% since 2020.
Several large organizations have had security breaches due to leaks and the discovery of secrets in employee repositories.
Toyota recently reported that customers’ personal information may have been exposed after an access key had been made public in their repository for five years.
In addition, some projects use dependencies, leaving them open to vulnerabilities.
GitHub has several built-in security features to protect projects:
- Secret scanning
- Code scanning
- Dependabot:
- Dependabot alerts
- Dependabot security updates
- Dependabot version update
GitHub’s Built-in Features
GitHub’s built-in features can secure secrets and code. Some capabilities are included in the basic package, while others require a GitHub Advanced Security license.
The table below outlines GitHub’s advanced security features for public and private projects.
Source: GitHub documentation
The features can be enabled either at the repository or organizational level.
Secret scanning
Some projects need to be connected to apps. For example, when using Terraform, you can use an app registration to perform a deployment. Unfortunately, if all the information from the app registration is included with the code, anyone with access to the repository can use this information to access Azure in this scenario.
Secret scanning is a feature that lets you scan repositories for tokens or authentication keys.
GitHub created a database that allows the tool to recognize the form of the IDs thanks to its collaboration with multiple providers (AWS, Azure, GCP, Databricks, Atlassian, etc.).
Example of the data that the vendors support:
Source: GitHub documentation
The scan is performed automatically on the entire Git history on all branches.
When GitHub detects a secret, it sends an email to the repository administrators, the organization owner, the author who pushed the code to GitHub, and the service provider that provided the secret.
When the provider is notified that a secret has been compromised, it can revoke it, generate a new secret, or contact the user.
The interface shows the list of secrets.
Source: Microsoft documentation
Once the secret has been pushed to the repository, it must be considered compromised. The next step is to:
- Generate a new secret
- Update the secret in all applications
- Remove the compromised secret
- Resolve the alert in Git
Push Protection has been added to GitHub Enterprise Server and Cloud Enterprise in beta. This option lets you check for secrets when you push the code. If a secret is found, the author is notified so they can remove it before it gets pushed to the repository.
Code scanning
Code scanning analyzes the code to detect vulnerabilities and errors automatically.
The analysis can be performed regularly via a scheduled job or when a specific event occurs, such as when a developer pushes their code.
It lets you sort and prioritize fixes for problems in your code. It also prevents developers from making fresh mistakes.
The engine that does this is CodeQL, which GitHub developed.
There are two ways to use CodeQL:
- Add the CodeQL workflow to your repository. GitHub/codeql-action is used to run the CodeQL CLI interface.
- Use an external integration system to run the CodeQL CLI directly and upload the results to GitHub.
CodeQL supports the following compiled and interpreted languages:
C/C++, C#, Go, Java, JavaScript, TypeScript, Python, and Rubis
Dependency
Some projects depend on third-party applications, which can be a security risk if the dependencies have vulnerabilities.
GitHub provides tools that can help you find and fix vulnerabilities:
- Dependency graph: lets you monitor the code and look for dependency manifests. It is generated automatically for public repositories.
- Dependency review: shows which dependencies have been added, removed, or updated in a pull request.
- Dependabot: This is a service that updates dependencies automatically. It analyzes the repositories and automatically generates a pull request if an element can be updated. The dependency graph must be enabled for Dependabot to work.
- Dependabot alerts: issue alerts about dependency vulnerabilities in public repositories.
- Dependabot security updates: automatically update vulnerable dependencies or generate a pull request.
- Dependabot version updates: automatically update all packages used by your repository.
So, to prevent potential mistakes, it’s important to implement features that are easy to activate.
Would you like to learn more about cloud security? Don’t hesitate to contact our experts! You can also read the entire Cloud Security Month series of posts here:
- Cybersecurity: A Strategic Issue for Companies
- Cybersecurity concerns as Information Systems Evolve
- Delegating User and Device Management in Azure AD and Intune
- Cybersecurity in Azure Sphere: Who, What, When, and How?
- Why Is Cybersecurity Training So Important?
- Smart Business / MLSecOps : How security should drive Machine Learning project?