RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

GitHub Advanced Security

Product
Developers: GitHub
Last Release Date: 2022/04/12
Technology: Information Security - Information Leakage Prevention

Content

White Paper: DLP - Data Loss/Leak Prevention

2022

Representation of Dependency Review GitHub Action

GitHub developers have introduced the Dependency Review GitHub Action feature, which scans user requests for made changes to the dependency and issues an error if any new dependencies contain vulnerabilities. This became known in April 2022.

For April 2022, Dependabot already warns developers when vulnerabilities are detected in their existing dependencies, but the innovation is aimed at ensuring security when adding a new dependency.

The feature is available for private repositories license with Github Advanced Security and for all public repositories on the GitHub Marketplace and on the Actions tab of the user repository under the Security heading.

Dependency Review GitHub Action is supported by an API endpoint that distinguishes dependencies between any two versions. This is achieved by adding a new GitHub action to check dependencies in an existing workflow in one of[1] projects[2].

Ability to proactively block token leaks to API

GitHub announced the strengthening of protection against confidential ones entering the repositories, data due to an oversight left by the developers in the code. This became known on April 5, 2022. For example, it happens that files configurations with c, passwords DBMS tokens or access keys to enter the repository. API Previously, scanning was carried out in passive mode and made it possible to identify those that have already occurred leaks that have entered the repository. To prevent leaks, GitHub additionally began to provide an option to automatically block commits that reveal the presence of confidential data.

The check is carried out when git push is executed and leads to the generation of a security violation warning if tokens for connecting to typical APIs are detected in the code. In total, 69 templates were implemented to identify various types of keys, tokens, certificates and credentials. To prevent false positives, only guaranteed token types are checked. After blocking, the developer is invited to review the problem code, eliminate the leak and repeat the commit or mark the blocking false.

The option for preventive leak blocking is still available only to organizations that have access to the GitHub Advanced Security service. Passive scanning is free for all public repositories, but remains paid for private repositories. It is reported that passive scanning has already revealed more than 700 thousand leaks of confidential data in private repositories[3].

Notes