Press ReleaseThreat Detection & Defense

GitHub Launches Code View and Search, Secret Scanning Push Protection in GA

GitHub, the world’s largest software development collaboration platform, announced that its new code view and code search are generally available to all users on GitHub.com. Reading and understanding code is a fundamental task for developers, which is why GitHub has been laying the foundation to improve code search over the past two years. Additionally, secret scanning’s push protection is now generally available for all private repositories with a GitHub Advanced Security (GHAS) licence as well as free for all public repositories.
 
GitHub’s goal with the new code search and code view is to enable developers to quickly search, navigate and understand their code, put critical information into context, and ultimately make them more productive. To achieve that, GitHub has brought three powerful new capabilities to GitHub.com.

  • An entirely redesigned search interface, with suggestions, completions, and the ability to slice and dice the results.
  • GitHub has built a new code search engine, completely from scratch. It is incredibly fast (about twice as fast as the old code search), far more capable (supporting substring queries, regular expressions, and symbol search), and understands code, putting the most relevant results first.
  • GitHub’s code view, tightly integrating search, browsing, and code navigation have also been totally redesigned.

This launch is just the beginning — GitHub is infusing intelligence into every aspect of software development. Learn more about code view and code search in this blog.
 
Additionally, push protection is now generally available for private repositories with a GitHub Advanced Security (GHAS) licence. To help developers and maintainers across open source proactively secure their code, GitHub is also making push protection free for all public repositories.
 
Push protection prevents secret leaks without compromising the developer experience by scanning for highly identifiable secrets before they are committed. GitHub partners closely with service providers to ensure tokens have a low false positive rate, ensuring developer trust in its alerts. When a secret is detected in code, developers are prompted directly in their IDE or command line interface with remediation guidance to ensure that the secret is never exposed.
 
Ger McMahon, Product Area Leader ALM Tools and Platforms at Fidelity Investments, explains: “Incorporating secret scanning with push protection directly into the development workflow reduces friction which enables developers to create secure and high-quality code.”
 
Developers need tools they can trust — GitHub designed push protection with this in mind. If developers are pushing a commit containing a secret, a push protection prompt will appear with information on the secret type, location, and how to remediate the exposure. Once the  developer has removed the secret from their commit history, they can re-push their commit. Push protection only blocks secrets with low false positive rates, so when a commit is blocked, you know it’s worth investigating.
 
In certain instances, developers have an urgent circumstance to push code that has a secret in it – for example, fixing an outage with speed and addressing the secrets after. Users can bypass push protection by providing a reason, for example, it’s used for testing, is a false positive, or is an acceptable risk that will be fixed later. Repository and organisation administrators and security managers will receive an email alert on all bypasses and can audit any bypasses via their enterprise and organisation audit logs, alert view UI, REST API, or webhook events.
 
According to Leo Stolyarov, Director and Cloud Practice Lead at KPMG, this approach ensures an improved security posture without compromising on velocity. “Secret scanning push protection is a frictionless feature that has brought better security awareness and protection from leaked secrets without compromising developer experience.”
 
Learn more about the GA of secret scanning’s push protection in this blog.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *