Security News
GitHub's Chief Security Officer and SVP of Engineering shared more details today on a string of outages that hit the code hosting platform last week. The second outage, occurring on May 10, impacted the issuance of authentication tokens for GitHub Apps and resulted from high load and inefficient implementation of an API responsible for managing GitHub App permissions.
GitHub has announced the general availability of a new security feature called push protection, which aims to prevent developers from inadvertently leaking keys and other secrets in their code. The Microsoft-owned cloud-based repository hosting platform, which began testing the feature a year ago, said it's also extending push protection to all public repositories at no extra cost.
GitHub is making push protection - a security feature designed to automatically prevent the leaking of secrets to repositories - free for owners of all public repositories. Prevent leaking secrets with GitHub push protection.
GitHub is now automatically blocking the leak of sensitive information like API keys and access tokens for all public code repositories. This feature proactively prevents leaks by scanning for secrets before 'git push' operations are accepted, and it works with 69 token types detectable with a low "False positive" detection rate.
GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners. The private vulnerability reporting feature provides a direct collaboration channel that allows researchers to more easily report vulnerabilities, and maintainers to easily fix them.
GitHub announced that private vulnerability reporting is now generally available and can be enabled at scale, on all repositories belonging to an organization. Since its introduction as an opt-in feature in November 2022 during the GitHub Universe 2022 global developer event, "Maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving more than 1,000 submissions from security researchers."
Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin. It's often used by software developers to mechanize the build process for packages distributed through the company's npm registry, which hosts more than two million of these modular libraries.
OSC&R is an open framework for understanding and evaluating software supply chain security threats. Spearheaded by OX Security, OSC&R is a MITRE-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures used by adversaries to compromise the security of software supply chains.
GitHub is now prompting developers and administrators who use the site to secure their accounts with two-factor authentication. The move toward two-factor authentication for all such users officially started on March 13 and will be a requirement by the end of 2023, GitHub said in a recent blog post.
Github has updated its SSH keys after accidentally publishing the private part to the world. A post on Github's security blog reveals that the company has changed its RSA SSH host keys.