github announced On the commissioning of a free service for tracking random publication in repositories of confidential data, such as encryption keys, passwords to DBMS and access to the API. Previously, this service was available only to participants in the beta testing program, and now it has begun to be provided without restrictions on all public repositories. To include checking your repository in the settings in the “Code Security and Analysis” section, the option “Secret Scanning” should be activated.
Total implemented more than 200 templates to identify various types of keys, tokens, tokens, tokens certificates and accounting data. The search for leaks is carried out not only in the code, but also in Issue, descriptions and comments. To exclude false works, only guaranteed types of tokens are checked, covering more than 100 various services , including Amazon Web Services, Azure, Crates.io, Digitalocean, Google Cloud, NPM, PYPI, RUBYGEMS and YANDEX.CLOUD. Additionally, the sending of warnings is supported when identifying self -signed certificates and keys.
In January, during the experiment it is analyzed 14 thousand repository On github. As a result, in 1110 repositories (7.9%, that is, in almost every twelfth), the presence of secret data was revealed. For example, 692 GitHub App, 155 keys were revealed in the repositories.
Azure Storage, 155 Github Personal tokens, 120 keys
Amazon AWS and 50 Google API keys.