GitHub Advanced Security

Product

Developers:	GitHub
Last Release Date:	2022/04/12
Technology:	Information Security - Information Leakage Prevention

Content

2022
- Representation of Dependency Review GitHub Action
- Ability to proactively block token leaks to API
Notes

White Paper: DLP - Data Loss/Leak Prevention

2022

Representation of Dependency Review GitHub Action

GitHub developers have introduced the Dependency Review GitHub Action feature, which scans user requests for made changes to the dependency and issues an error if any new dependencies contain vulnerabilities. This became known in April 2022.

For April 2022, Dependabot already warns developers when vulnerabilities are detected in their existing dependencies, but the innovation is aimed at ensuring security when adding a new dependency.

The feature is available for private repositories license with Github Advanced Security and for all public repositories on the GitHub Marketplace and on the Actions tab of the user repository under the Security heading.

Dependency Review GitHub Action is supported by an API endpoint that distinguishes dependencies between any two versions. This is achieved by adding a new GitHub action to check dependencies in an existing workflow in one of^[1] projects^[2].

Ability to proactively block token leaks to API

GitHub announced the strengthening of protection against confidential ones entering the repositories, data due to an oversight left by the developers in the code. This became known on April 5, 2022. For example, it happens that files configurations with c, passwords DBMS tokens or access keys to enter the repository. API Previously, scanning was carried out in passive mode and made it possible to identify those that have already occurred leaks that have entered the repository. To prevent leaks, GitHub additionally began to provide an option to automatically block commits that reveal the presence of confidential data.

The check is carried out when git push is executed and leads to the generation of a security violation warning if tokens for connecting to typical APIs are detected in the code. In total, 69 templates were implemented to identify various types of keys, tokens, certificates and credentials. To prevent false positives, only guaranteed token types are checked. After blocking, the developer is invited to review the problem code, eliminate the leak and repeat the commit or mark the blocking false.

The option for preventive leak blocking is still available only to organizations that have access to the GitHub Advanced Security service. Passive scanning is free for all public repositories, but remains paid for private repositories. It is reported that passive scanning has already revealed more than 700 thousand leaks of confidential data in private repositories^[3].

Notes

↑ [https://www.securitylab.ru/news/531102.php the Dependency Review GitHub Action
↑ to prevent vulnerabilities in the code]
↑ GitHub has implemented the ability to proactively block token leaks to the API

Источник — «https://tadviser.com/index.php/Product:GitHub_Advanced_Security»

The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article
If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible.

Simple Link

Model Studio CS: How to use BIM to give new impetus to the development of the fuel and energy complex 4300

Leave a Large Footprint in the Sands of Time 4900

Information modeling technologies: confident course on import substitution 6300