Security News > 2021 > June > GitHub now scans for accidentally-exposed PyPI, RubyGems secrets

GitHub now scans for accidentally-exposed PyPI, RubyGems secrets
2021-06-09 07:24

GitHub has recently expanded its secrets scanning capabilities to repositories containing PyPI and RubyGems registry secrets.

The move helps protect millions of applications built by Ruby and Python developers who may inadvertently be committing secrets and credentials to their public GitHub repos.

Yesterday, GitHub announced that it will now automatically scan repositories exposing PyPI and RubyGems secrets, such as credentials and API tokens.

When GitHub spots a password, an API token, private SSH keys, or another supported secret exposed in a public repository, it notifies the registry maintainer.

"If we find one, we notify the registry, and they automatically revoke any compromised secrets and notify their owner," explains GitHub software engineer Annie Gesellchen in yesterday's blog post.

The advantage here of GitHub's partnership with RubyGems and PyPI remains that the exposed secrets are revoked within seconds in an automated fashion, rather than waiting on the developer to take manual action.


News URL

https://www.bleepingcomputer.com/news/security/github-now-scans-for-accidentally-exposed-pypi-rubygems-secrets/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 12 2 45 29 19 95
Rubygems 2 0 3 16 4 23
Pypi 15 0 0 1 15 16